Week 7Lecture 1

Database Roles

Learning Objectives

Discover when and why to use roles Learn how to create, modify, and remove

roles Learn how to assign roles Examine data dictionary views of roles Assign roles and privileges using the

Enterprise Management console

Introduction to Roles

Role is a collection of privileges that is named and assigned to users or even to another role

Roles help simplify database maintenance by giving you an easy way to assign a set of privileges to new users

How to Use Roles

Simplify security Grant privileges once to a role and then assign that role to multiple

users Revise the privileges in a role and the change is automatically

reflected for every user who has the role.

Predefined Roles

CONNECT Logs onto the database and performs limited activities within the user’s own

schema, such as creating tables, views, synonyms, and database links. DBA

Manages the database, including these tasks: creates users, profiles, and roles, and grants privileges; manages storage and security; starts up and shuts down the database.

DELETE_CATALOG_ROLE Gives the user the ability to delete from tables owned by SYS. This role was

added because the system privilege DELETE ANY TABLE specifically excludes deleting from tables owned by SYS.

EXECUTE_CATALOG_ROLE Enables the user to execute any package supplied by Oracle that is owned by

SYS. Most supplied packages are owned by SYS, and those most commonly used already allow users to execute them. If additional packages are needed, grant the user this role.

More Predefined Roles EXP_FULL_DATABASE

Exports the database using the EXPORT utility. IMP_FULL_DATABASE

Imports the database using the IMPORT utility. RESOURCE

Provides more extensive abilities to create objects, such as procedures, triggers, and object types, for users who need to create their own objects.

SELECT_CATALOG_ROLE Allows the user to query any data dictionary view or table owned by SYS.

This can give a user more access to certain data dictionary views, although usually a user can already access those he needs, because the most common data dictionary views are viewable by all users.

Creating Roles

Roles used to consolidate a group of system or object privileges Syntax for creating a role:

CREATE ROLE <name>

NOT IDENTIFIED|IDENTIFIED BY <password>

Creating Roles

NOT IDENTIFIED means that no additional authorization is required. This is the default, so omitting the clause is the same as including NOT IDENTIFIED.

Alternative option is IDENTIFIED BY <password>, which means that the user must provide the correct password to be able to use the privileges within that role.

Granting Privileges to a Role

Granting privileges to a role is done in exactly the same way as granting privileges to a user

Syntax for the GRANT command, used to grant privileges to a role:

GRANT <privilege> TO <role>;

Cannot grant a privilege and add WITH ADMIN OPTION or WITH GRANT OPTION when granting to a role

Granting a Role to a User

To grant a role to a user, use the GRANT command again with the following syntax:

GRANT <role> TO <user>|<role>

WITH ADMIN OPTION;

Include the WITH ADMIN OPTION only when you want the user to be able to grant the role to other users.

If you grant a role to a second role with the WITH ADMIN OPTION, any user who is granted the second role is allowed to grant the first role to others

Modifying a Role

The only part of a role you can change is whether it uses a password. Syntax of the ALTER ROLE command:

ALTER ROLE <name>

NOT IDENTIFIED|IDENTIFIED BY <password>

When a role switches to requiring a password, users currently logged on who are granted the role are unaffected until they log off and back on again.

Limiting Availability and Removing Roles

You can control when a role becomes enabled for a user Default roles: The role’s creator or the DBA can adjust

the default roles for a user using the ALTER USER command. Automatically enabled when the user logs onto the database.

Enable roles: The user with a role can enable or disable his role with the SET ROLE command.

Drop roles: The DBA can drop the role from the database entirely and thereby cancel the role for all users who had it.

Limiting Availability and Removing Roles

Syntax for changing a user’s default role:

ALTER USER <username> DEFAULT ROLE

<role>,...|ALL|ALL EXCEPT <role>,... |NONE

Limiting Availability and Removing Roles

The DBA can issue the ALTER USER command to adjust the default roles for a user

When it is granted to a user, the role is automatically in the list of default roles

The only way to remove the role from the user’s default roles is by issuing the ALTER USER command

To remove all the roles at once, use the NONE clause

Limiting Availability and Removing Roles

The user can issue the SET ROLE command to adjust his enabled roles

The SET ROLE command has the following syntax:

SET ROLE

<role> IDENTIFIED BY <password>,...|ALL|ALL EXCEPT|NONE

Limiting Availability and Removing Roles

To enable roles with passwords, include the IDENTIFIED BY <password> clause

Any role not listed is disabled Enable all roles by using ALL Disable all roles by using NONE The roles remain enabled or disabled until the user issues another

SET ROLE command, or until the user logs off. When the user logs on again, his roles are reset to the default roles dictated by the DBA

Limiting Availability and Removing Roles

The user can issue the DROP ROLE command to revoke its privileges from all users and roles assigned it

The DROP ROLE command has the following syntax:

DROP ROLE <role>;

Data Dictionary Information about Roles

ALL_TAB_PRIVS_MADE All object privileges granted and by whom

DBA_ROLE_PRIVS All roles and grantees including users and roles

DBA_ROLES All the roles in the database

DBA_SYS_PRIVS All system privileges granted to users or roles

DBA_TAB_PRIVS All object privileges granted to users or roles

Data Dictionary Information about Roles

ROLE_ROLE_PRIVS Roles granted to other roles that the current user can enable

ROLE_SYS_PRIVS System privileges granted to roles that the current user can

enable ROLE_TAB_PRIVS

Object privileges granted to roles that the current user can enable

SESSION_ROLES Roles currently enabled in your session

Roles in the Enterprise Manager Console

Security manager contains Rolls folder If you select the Rolls folder you will see a list of all the defined rolls

Rolls Folder

Roll List

Roles in the Enterprise Manager Console

If you select a roll, the property sheet will be displayed for that roll Selecting the System tab will allow you to see all system privileges

granted to this roll

System Tab

CONNECT Roll

System Privileges

Roles in the Enterprise Manager Console

Selecting the Object tab will allow you to see all object privileges granted to this roll

Available privileges are at the top, and granted privileges are at the bottom

Object Tab

Active Privileges

SELALL Roll

Granted Privileges

Roles in the Enterprise Manager Console

Clicking the up and down arrows grants and revokes privileges

Available Privileges

WANT_AD Object

Grant and Revoke Arrows

Granted Privileges

Roles in the Enterprise Manager Console

Once you have used the arrow to select a privilege to grant or remove, you must execute it by pressing the apply button

Privilege to Grant

Not Yet Applied Icon

Apply Button

Privileges selected with the arrows but not yet applied are marked with an icon

Roles in the Enterprise Manager Console

Right click a role in the security manager and a popup will appear Select Show Grantees from to display a window of all users granted this

role

User List

Users Granted This Role

Admin Option

Lecture Summary

Roles simplify security administration. Roles can be granted other roles, system privileges, and

object privileges. Predefined roles help speed up administration by providing

basic groupings of roles. Roles with passwords add security to the roles. You can grant system privileges and object privileges to a

role, but you cannot use the WITH ADMIN OPTION or WITH GRANT OPTION clauses.

Lecture Summary

You can grant a role to a role and optionally include the WITH ADMIN OPTION clause.

Create a role with the CREATE ROLE command. Change a role with the ALTER ROLE command. Grant privileges to a role with the GRANT command. USER_TAB_PRIVS does not list privileges granted to the

user’s roles. DBA_TAB_PRIVS includes privileges granted to roles.

Lecture Summary

Use the ROLE_ROLE_PRIVS view to find roles granted to other roles.

After a user has been granted a role, subsequent grants to the role are effective immediately for the user.

Default roles are roles enabled when you log on. Use ALTER USER to change the default roles for a user. Use SET ROLE to enable or disable roles in your current

session.

Lecture Summary

Use DROP ROLE to drop a role. Dropped roles are automatically revoked from users and

other roles. DBA_TAB_PRIVS lists all object privileges granted to users

and roles. The console displays roles and privileges within the Security

Manager.