Managing Oracle Roles

Administration of large numbers of objects can be difficult. Oracle roles allow you to localize the administration of objects. Oracle roles are most helpful when large numbers of users will need the same system and object privileges (which we discussed earlier in this chapter).

Think of an Oracle role like a database user that nobody uses. You create the Oracle role using the create role command. You then grant the Oracle role all of the common privileges that users will require to do their work, like the ability to select, insert, update and delete data from various tables.

Once the Oracle role is all setup, you only need grant the Oracle role to users and all the privileges will be transferred along with that grant. Later, you can add additional privileges to the role if required.

You create an Oracle role with the create role command and then grant the role to the user with the grant command as seen in this command:

SQL> Create role select_data_role;

SQL> Grant select on emp to select_data_role;

SQL> Grant select on dept to select_data_role;

SQL> Grant select on bonus to select_data_role;

You can then grant that Oracle role to other users as in this case where we grant the select_data_role to the ROBERT user role. Once this is done, ROBERT will be able to query the EMP, DEPT and BONUS tables in the SCOTT schema:

SQL> GRANT select_data_role TO Robert;

Oracle roles have some limitations. In particular object privileges are granted through Oracle roles can not be used when writing PL/SQL code. When writing PL/SQL code, you must have direct grants to the objects in the database that your code is accessing.

If you wish to revoke an Oracle role from a user, simply use the revoke command as demonstrated earlier in this chapter:

SQL> REVOKE select_data_role FROM Robert;

Conclusions on Oracle roles

We?ve learned how to not only create a user, but how to use Oracle roles to allow that user to perform different activities. Without users, a database would certainly perform well, because it would not be able to actually do anything.

With privileges and Oracle roles, we can be assured that no user has too much ability.

The main points of this chapter include:

* All Oracle objects (tables, indexes) are owned by users.

* By default, only the user who created a table may see the rows. To allow other users to see rows, the user must grant access privileges.

* Oracle has system privileges that allow global access rights.

* Oracle has object privileges that allow grants to specific tables.

* Any privilege can be removed with the revoke command.

* To simplify security administration you can encapsulate groups of grants into a single Oracle role.

This is an excerpt from the bestselling "Easy Oracle Jumpstart" by Robert Freeman and Steve Karam (Oracle ACE and Oracle Certified Master). It?s only $19.95 when you buy it directly from the publisher here.

If you like Oracle tuning, you may enjoy the new book "Oracle Tuning: The Definitive Reference", over 900 pages of BC's favorite tuning tips & scripts.

You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.

��