Oracle / PLSQL: RolesThis Oracle tutorial explains how to create roles, grant/revoke privileges to roles, enable/disable roles, set roles as the default, and drop roles in Oracle with syntax and examples. DescriptionA role is a set or group of privileges that can be granted to users or another role. This is a great way for database administrators to save time and effort. Create RoleYou may wish to create a role so that you can logically group the users' permissions. Please note that to create a role, you must have CREATE ROLE system privileges. SyntaxThe syntax for creating a role in Oracle is: CREATE ROLE role_name [ NOT IDENTIFIED | IDENTIFIED {BY password | USING [schema.] package | EXTERNALLY | GLOBALLY } ;role_nameThe name of the new role that you are creating. This is how you will refer to the grouping of privileges. NOT IDENTIFIEDIt means that the role is immediately enabled. No password is required to enable the role.IDENTIFIEDIt means that a user must be authorized by a specified method before the role is enabled.BY passwordIt means that a user must supply a password to enable the role.USING packageIt means that you are creating an application role - a role that is enabled only by applications using an authorized package.EXTERNALLY It means that a user must be authorized by an external service to enable the role. An external service can be an operating system or third-party service.GLOBALLYIt means that a user must be authorized by the enterprise directory service to enable the role. Note
ExampleLet's look at an example of how to create a role in Oracle. For example: CREATE ROLE test_role; This first example creates a role called test_role. CREATE ROLE test_role IDENTIFIED BY test123; This second example creates the same role called test_role, but now it is password protected with the password of test123. Grant TABLE Privileges to RoleOnce you have created the role in Oracle, your next step is to grant privileges to that role. Just as you granted privileges to users, you can grant privileges to a role. Let's start with granting table privileges to a role. Table privileges can be any combination of SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX, or ALL. SyntaxThe syntax for granting table privileges to a role in Oracle is: GRANT privileges ON object TO role_nameprivileges The privileges to assign to the role. It can be any of the following values:
ExampleLet's look at some examples of how to grant table privileges to a role in Oracle. For example, if you wanted to grant SELECT, INSERT, UPDATE, and DELETE privileges on a table called suppliers to a role named test_role, you would run the following GRANT statement: GRANT select, insert, update, delete ON suppliers TO test_role; You can also use the ALL keyword to indicate that you wish all permissions to be granted. For example: GRANT all ON suppliers TO test_role; Revoke Table Privileges from RoleOnce you have granted table privileges to a role, you may need to revoke some or all of these privileges. To do this, you can execute a revoke command. You can revoke any combination of SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX, or ALL. SyntaxThe syntax for revoking table privileges from a role in Oracle is: REVOKE privileges ON object FROM role_name;privileges The privileges to revoke from the role. It can be any of the following values:
ExampleLet's look at some examples of how to revoke table privileges from a role in Oracle. For example, if you wanted to revoke DELETE privileges on a table called suppliers from a role named test_role, you would run the following REVOKE statement: REVOKE delete ON suppliers FROM test_role; If you wanted to revoke ALL privileges on the table called suppliers from a role named test_role, you could use the ALL keyword. For example: REVOKE all ON suppliers FROM test_role; Grant Function/Procedure Privileges to RoleWhen dealing with functions and procedures, you can grant a role the ability to EXECUTE these functions and procedures. SyntaxThe syntax for granting EXECUTE privileges on a function/procedure to a role in Oracle is: GRANT EXECUTE ON object TO role_name;EXECUTEThe ability to compile the function/procedure and the ability to execute the function/procedure directly.objectThe name of the database object that you are granting privileges for. In the case of granting EXECUTE privileges on a function or procedure, this would be the function name or the procedure name.role_nameThe name of the role that will be granted the EXECUTE privileges. ExampleLet's look at an example of how to grant EXECUTE privileges on a function or procedure to a role in Oracle. For example, if you had a function called Find_Value and you wanted to grant EXECUTE access to the role named test_role, you would run the following GRANT statement: GRANT execute ON Find_Value TO test_role; Revoke Function/Procedure Privileges from RoleOnce you have granted EXECUTE privileges on a function or procedure to a role, you may need to revoke these privileges from that role. To do this, you can execute a REVOKE command. SyntaxThe syntax for the revoking privileges on a function or procedure from a role in Oracle is: REVOKE execute ON object FROM role_name;EXECUTERevoking the ability to compile the function/procedure and the ability to execute the function/procedure directly.objectThe name of the database object that you are revoking privileges for. In the case of revoking EXECUTE privileges on a function or procedure, this would be the function name or the procedure name.role_nameThe name of the role that will have the EXECUTE privileges revoked. ExampleLet's look at an example of how to grant EXECUTE privileges on a function or procedure to a role in Oracle. If you wanted to revoke EXECUTE privileges on a function called Find_Value from a role named test_role, you would run the following REVOKE statement: REVOKE execute ON Find_Value FROM test_role; Grant Role to UserNow, that you've created the role and assigned the privileges to the role, you'll need to grant the role to specific users. SyntaxThe syntax to grant a role to a user in Oracle is: GRANT role_name TO user_name;role_nameThe name of the role that you wish to grant.user_nameThe name of the user that will be granted the role. ExampleLet's look at an example of how to grant a role to a user in Oracle: GRANT test_role TO smithj; This example would grant the role called test_role to the user named smithj. Enable/Disable Role (Set Role Statement)To enable or disable a role for a current session, you can use the SET ROLE statement. When a user logs into Oracle, all default roles are enabled, but non-default roles must be enabled with the SET ROLE statement. SyntaxThe syntax for the SET ROLE statement in Oracle is: SET ROLE ( role_name [ IDENTIFIED BY password ] | ALL [EXCEPT role1, role2, ... ] | NONE );role_nameThe name of the role that you wish to enable.IDENTIFIED BY passwordThe password for the role to enable it. If the role does not have a password, this phrase can be omitted.ALLIt means that all roles should be enabled for this current session, except those listed in EXCEPT.NONEDisables all roles for the current session (including all default roles). ExampleLet's look at an example of how to enable a role in Oracle. For example: SET ROLE test_role IDENTIFIED BY test123; This example would enable the role called test_role with a password of test123. Set role as DEFAULT RoleA default role means that the role is always enabled for the current session at logon. It is not necessary to issue the SET ROLE statement. To set a role as a DEFAULT ROLE, you need to issue the ALTER USER statement. SyntaxThe syntax for setting a role as a DEFAULT ROLE in Oracle is: ALTER USER user_name DEFAULT ROLE ( role_name | ALL [EXCEPT role1, role2, ... ] | NONE );user_nameThe name of the user whose role you are setting as DEFAULT.role_nameThe name of the role that you wish to set as DEFAULT.ALLIt means that all roles should be enabled as DEFAULT, except those listed in EXCEPT.NONEDisables all roles as DEFAULT. ExampleLet's look at an example of how to set a role as a DEFAULT ROLE in Oracle. For example: ALTER USER smithj DEFAULT ROLE test_role; This example would set the role called test_role as a DEFAULT role for the user named smithj. ALTER USER smithj DEFAULT ROLE ALL; This example would set all roles assigned to smithj as DEFAULT. ALTER USER smithj DEFAULT ROLE ALL EXCEPT test_role; This example would set all roles assigned to smithj as DEFAULT, except for the role called test_role. Drop RoleOnce a role has been created in Oracle, you might at some point need to drop the role. SyntaxThe syntax to drop a role in Oracle is: DROP ROLE role_name;role_nameThe name of the role that is to be dropped. ExampleLet's look at an example of how to drop a role in Oracle. For example: DROP ROLE test_role; This DROP statement would drop the role called test_role that we defined earlier. Which of the following system privileges should you have to create or replace function in your own schema?You must have the CREATE TYPE system privilege to create a type in your schema or the CREATE ANY TYPE system privilege to create a type in the schema of another user. These privileges can be acquired explicitly or through a role.
Which system privileges are related to functions?A system privilege is the right to perform a particular action or to perform an action on any object of a particular type. Objects include tables, views, materialized views, synonyms, indexes, sequences, cache groups, replication schemes and PL/SQL functions, procedures and packages.
Which of the following privileges would a user use to make changes to database data?Any user with the Connect privilege can perform the following operations: Connect to the database with the CONNECT statement or another connection statement. Execute SELECT, INSERT, UPDATE, and DELETE statements, provided the user has the necessary table-level privileges.
Which is the privilege used for changing and modifications in roles?A user with the EXECUTE object privilege for a package can execute any (public) procedure or function in the package and access or modify the value of any (public) package variable. Specific EXECUTE privileges cannot be granted for a package's constructs.
|