Database Reference
In-Depth Information
The PDB admin user is a special kind of local user. It is created as part of the clone from the seed database and is
automatically granted the PDB_DBA role. As you will see in the next section, the privileges granted to the role differ
between PDBs, the PDB_DBA role is a common role.
SYS@CDB$ROOT> select common from dba_roles where role = 'PDB_DBA';
COM
---
YES
By default, and in the absence of any dedicated grants, the admin user only has a few privileges. If for example
you created the PDB as shown in this example:
SYS@CDB$ROOT> create pluggable database pdb1
2 admin user pdbadmin identified by secretPassword;
Pluggable Database created.
The role allows the admin user to connect to the database and perform some administration tasks. Its power is
limited by default, if you need more you need to make use of the “roles” clause in the PDB creation to ensure that the
admin user really deserves the name. Examples of how to make use of the roles-clause have been provided earlier in this
chapter. Please refer back to the section “Create a PDB from the seed database” for more information and examples.
Local users cannot by definition create common roles—they'd have to connect to the CDB$ROOT to do so which
they simply cannot. However a local user can grant a common role such as connect to another local or common user
if the user has the right privileges to do so.
Common roles
Similar to users, roles can be common or local. When you are connected to the root container and create a role, it
is automatically assumed that the role is a common role. Even if you tried to create a local role in CDB$ROOT, you
cannot: Oracle prevents you from doing so, with exactly the same ORA-65049 error message as if you tried to create a
local user. Just like common users names the common role name must begin with C##.
Many Oracle-supplied roles are common roles, which makes it easy to create common users with a common
set of privileges. It also allows you to manage roles centrally in one place. When granting a role to a role or user, it is
important to pay attention to the container you are granting the role in. For example, you can grant a common role
to a user or role in a PDB, and this grant is valid in the container only. Consider this example. First a common user
“C##GUSER” is created in the root container, without any privileges.
SYS@CDB$ROOT> create user c##guser identified by secret;
User created.
Next, the SYS user that was used to create GUSER in the first place switches his session context to a different
container: a PDB named PDB1 and grants the (common) connect role to the new account:
SYS@CDB$ROOT> alter session set container=pdb1;
Session altered.
SYS@CDB$ROOT> @$HOME/login
SYS@PDB1> grant connect to c##guser;
Grant succeeded.
Search WWH ::
Custom Search