Database Reference
In-Depth Information
Figure 23.13
Revoking an Object
Privilege Cascades
to Other Users to
whom the Revokee
Granted the Same
Object Privilege.
Note:
PL/SQL code blocks may not recognize database access through
roles. Explicit object privileges may be required for PL/SQL. PL/SQL is
covered in Chapter 24.
23.3.1
Creating and Altering Roles
Figure 23.14 shows the syntax of the CREATE ROLE and ALTER ROLE
commands. Options are identical for both commands. Any user with the
CREATE ROLE system privilege can create a role. The SYSTEM user, of
course, has this privilege. The DBA often grants this privilege to users who
own tables, so that users can create roles associated with their tables and
grant those roles to other users.
A role that will contain sensitive privileges can be assigned a password.
Any user who wants to use that role must provide the password (except
when the role is one of the user's default roles). You will find out more
about default roles later. At this stage, all we will do is lay some groundwork
for later and create two roles, substitute strings where appropriate.
