Oracle Tips by Burleson Consulting
Managing Oracle Roles
Administration of large numbers of objects can be
difficult. Oracle roles allow you to localize the administration of objects.
Oracle roles are
most helpful when large numbers of users will need the same system and object
privileges (which we discussed earlier in this chapter).
Think of an Oracle role like a database user that nobody uses.
You create the Oracle role using the create role command. You then grant the
Oracle role all
of the common privileges that users will require to do their work, like the
ability to select, insert, update and delete data from various tables.
Once the Oracle role is all setup, you only need grant the
to users and all the privileges will be transferred along with that grant.
Later, you can add additional privileges to the role if required.
You create an Oracle role with the create role command and then
grant the role to the user with the grant command as seen in this command:
SQL> Create role select_data_role;
SQL> Grant select on emp to select_data_role;
Grant select on dept to select_data_role;
SQL> Grant select on bonus to
You can then grant that Oracle role to other users as in this
case where we grant the select_data_role to the ROBERT user role. Once this is
done, ROBERT will be able to query the EMP, DEPT and BONUS tables in the SCOTT
SQL> GRANT select_data_role TO Robert;
Oracle roles have some limitations. In particular object
privileges are granted through Oracle roles can not be used when writing PL/SQL code.
When writing PL/SQL code, you must have direct grants to the objects in the
database that your code is accessing.
If you wish to revoke an Oracle role from a user, simply use the
revoke command as demonstrated earlier in this chapter:
SQL> REVOKE select_data_role FROM Robert;
Conclusions on Oracle roles
We?ve learned how to not only create a
user, but how to use Oracle roles to allow that user to perform different activities. Without users, a
database would certainly perform well, because it would not be able to actually
With privileges and
Oracle roles, we can be assured that no user has too much ability.
The main points of this chapter include:
* All Oracle objects (tables, indexes) are owned by
* By default, only the user who created a table may see
the rows. To allow other users to see rows, the user must grant access
* Oracle has system privileges that allow global access
* Oracle has object privileges that allow grants to
* Any privilege can be removed with the revoke command.
* To simplify security administration you can
encapsulate groups of grants into a single Oracle role.
This is an excerpt from the bestselling "Easy
Oracle Jumpstart" by Robert Freeman and Steve Karam (Oracle ACE and Oracle
Certified Master). It?s only $19.95 when you buy it directly from the
If you like Oracle tuning, you may enjoy the new book "Oracle
Tuning: The Definitive Reference", over 900 pages of BC's favorite tuning
tips & scripts.
You can buy it direct from the publisher for 30%-off and get instant access to
the code depot of Oracle tuning scripts.