Databases Reference
In-Depth Information
lower positions in the hierarchy. A user can be authorized to play several
roles. Each role can be, at a given time, either enabled or disabled. The
initialization parameter MAX_ENABLED_ROLES specifies the maximum
number of roles a user can enable. With each role, a password can be associ-
ated to prevent unauthorized use of the privileges granted to the role. A set of
predefined roles is provided, which can be modified as any other role in an
Oracle DB. When a subject creates a role, the role is automatically granted
to the creator with the admin option, which allows the subject to grant or
revoke the role to or from any subject, with or without the admin option,
and to alter or drop the role. Oracle also supports the special group PUBLIC,
accessible to every subject. Privileges and roles can be assigned to PUBLIC to
be accessible by everyone.
The privileges of an Oracle DB can be divided into two categories: sys-
tem privileges and object privileges. System privileges allow subjects to perform
a particular systemwide action or an action on a particular type of objects.
More than 60 distinct system privileges are provided. Examples of system
privileges are the privilege to delete the tuples of any table in a DB or to cre-
ate a cluster. Because system privileges are powerful, they usually are avail-
able only to DBAs or application developers. Like roles, system privileges
also can be granted with the admin option. If a subject has a system
privilege with the admin option, it can grant or revoke system privileges to
other subjects. Any subject with the admin option for a system privilege or
a role can revoke the privilege or the role from any other subject. The sub-
ject does not have to be the one that originally granted the privilege or role.
When a system privilege is revoked, there may be cascading effects, depend-
ing on the type of system privilege. If the revoked system privilege is related
to a DDL operation, no cascading effects take place. By contrast, cascading
effects are caused by the revocation of a system privilege related to a DML
operation.
Object privileges allow subjects to perform a particular action on a par-
ticular object in the DB. The privilege to delete or insert tuples in a particular
table is an example of object privilege. When a subject creates an object in
its schema, it automatically receives all the object privileges on the created
object as well as the right to grant those privileges to other subjects. If
the grant includes the grant option, the subject receiving the privilege
can further grant the privilege to other subjects. Privileges granted to a role
cannot be granted with the grant option. Object privileges can be revoked
only by the subjects that have granted them. Revocation of object privilege
is recursive.
