Oracle Concepts -
Oracle Tips by Burleson Consulting
When a user is created, the default for active
roles is set to ALL. The default ALL means that all the roles granted
to a user are active. The DBA can change the default with an ALTER
USER command. A user can enable multiple roles at one time and use the
SET ROLE command to switch between roles or activate all roles with
the command SET ROLE ALL. The SET ROLE ALL command will not work if
any of the roles assigned to that user requires either a password or
operating system authentication. The command line syntax for setting
roles is shown in Figure 13.
Figure 7.13 Syntax for setting roles.
Users can look at the SESSION_ROLES view to
find the roles that are currently enabled for them. Users can look at
SESSION_PRIVS view to see the privileges available to their session.
If you determine that all control of roles
will be at the operating system level, you can set the database
initialization parameter OS_ROLES equal to TRUE. All roles must still
be created first in the database. Any grants you previously made using
the database command line or Server Manager are still listed in the
data dictionary, but they cannot be used and are not in effect. If the
use of roles is determined at the operating system level, the
multithreaded server option cannot be used.
You can use the MAX_ENABLED_ROLES parameter in
the database initialization file to set the number of roles that you
will allow any user to have enabled at one time.
If you intend for administration level users
to use OS authentication create the following two roles when you
install the Oracle executables:
Oracle creates the following three roles when
you create the database:
When you execute the sql.bsq script, the
following two roles are created:
When recovery manager is created, the
following five roles are created:
FINALLY, WITH THE ADDITION OF THE ADVANCED
QUEUING OPTION, THE FOLLOWING TWO ROLES ARE CREATED
In the following section, Iíll explain these
special roles and how they are used for database maintenance.
OSOPER And OSDBA
The OSOPER and OSDBA roles are created at the
operating system level when Oracle is installed. They cannot be
granted. The OSOPER and OSDBA roles are needed to perform database
operations when the database is not mounted and therefore the data
dictionary is not accessible. It is the OSOPER and OSDBA roles that
are used when you use CONNECT INTERNAL to connect to the database
using Server Manager.
The OSOPER role can perform the following
database management commands:
* ALTER DATABASE OPEN/MOUNT
* ALTER DATABASE BACKUP CONTROLFILE
* ALTER TABLESPACE BEGIN/END BACKUP
* ARCHIVE LOG
The OSDBA role has the OSOPER role.
In addition, the OSDBA role has the WITH ADMIN OPTION to allow it to
grant system privileges to other users. This is the role that is
used to create the database and for time-based recovery processes.
Both the OSOPER and OSDBA roles include the RESTRICTED SESSION system
If you intend to allow remote users to connect
internal, you need to set the REMOTE_LOGIN_PASSWORDFILE option in your
database parameter file to either EXCLUSIVE or SHARED. The user
will then connect in server manager with the AS SYSDBA or
AS SYSOPER clause at the end of the CONNECT command (CONNECT SYS AS
SYSDBA). The privileges assigned to SYSDBA correspond to those
for OSDBA. The privileges assigned to SYSOPER correspond to
OSOPER. The operating system verifies the password provided
using an external operating system file. This external file is
generated using the ORAPWD utility. When the password for the
INTERNAL or SYS accounts are changed with the ALTER USER command, the
changes are mapped to the operating system password file.
CONNECT, RESOURCE, And DBA Roles
The CONNECT, RESOURCE, and DBA roles are
predefined roles that are available for backward compatibility. These
are created by Oracle when the database is created. When you create a
user with Oracle Enterprise Manager, the CONNECT role is automatically
granted to that user.
The following system privileges are granted to
the CONNECT role:
* ALTER SESSION
* CREATE CLUSTER
* CREATE DATABASE LINK
* CREATE SEQUENCE
* CREATE SESSION
* CREATE SYNONYM
* CREATE TABLE
* CREATE VIEW
When you grant a user the RESOURCE role, that
user is granted the UNLIMITED TABLESPACE system privilege as well. The
following system privileges are granted to the RESOURCE role:
* CREATE CLUSTER
* CREATE PROCEDURE
* CREATE SEQUENCE
* CREATE TABLE
* CREATE TRIGGER
* CREATE TYPE
The DBA role includes all system privileges
(95 separate grants), the capability to grant those system privileges
to others, and UNLIMITED TABLESPACE is granted in the same way as with
the RESOURCE role. If the EXP_FULL_DATABASE and IMP_FULL_DATABASE
roles have been created, they are granted implicitly with the DBA role
as are the DELETE, EXECUTE and SELECT_CATALOG_ROLE roles.
You can grant additional privileges to or
revoke privileges from the CONNECT, RESOURCE, and DBA roles just as
you would any other role that you created.
This is an excerpt from
the eBook "Oracle
DBA made Simple".
For more details on Oracle
database administration, see the "Easy
Oracle Jumpstart" by Robert Freeman and Steve Karam. Itís
only $19.95 when you buy it directly from the publisher