"set role" command tips

Oracle Database Tips by Donald BurlesonMay 4, 2015

Question: I need to understand how to use the Oracle "set role" command and the dbms_session.set_role procedure. Can you give an example of the set role command and show hot set role is different from granting a role to a user?

Answer: The Oracle set role command and the equivalent dbms_session.set_role procedure are used to dynamically grant a role to a user. See setting roles for a user.

When a user is created, the default for active roles is set to ALL and a user who signs onto Oracle will have all privileges that have been assigned to them via the grant command. The default ALL means that all the roles granted to a user are active.

The DBA can change this default with an alter user command to revoke roles and a user can enable multiple roles at one time and use the set role command.

The set role command allows you to add or revoke roles at the session level, without effecting the existing roles that are granted to the user. The following are examples of the set role command:

set role all; -- The default, allow all role privileges that have been granted

set role none; -- For the session, revoke all role privileges

set role my_role identified by my_pass; - Activate a runtime role to the user session

—- Enables and disables named role for session
—- Same as SQL command:

SET ROLE DBMS_SESSION.SET_ROLE (role_cmd VARCHAR2);

The set role command will switch between roles or activate all roles with the command set role all. The set role all command will not work if any of the roles assigned to that user requires either a password or operating system authentication.

Users can look at the session_roles view to find the roles that are currently enabled for them. Users can look at session_privs view to see the privileges available to their session.

If you determine that all control of roles will be at the operating system level, you can set the database initialization parameter os_roles equal to TRUE. All roles must still be created first in the database.

Any grants you previously made using the database command line or Server Manager are still listed in the data dictionary, but they cannot be used and are not in effect.

NOTE: If the use of roles is determined at the operating system level, the multithreaded server option (MTS, shared servers) cannot be used.

Prior to Oracle 11.2.0.4, you can use the max_enabled_roles parameter (deprecated as of 11gr2) in the database initialization file to set the number of roles that you will allow any user to have enabled at one time.

Also see my related notes on the ORA-01924

Oracle Training from Don Burleson

The best on site "Oracle training classes" are just a phone call away! You can get personalized Oracle training by Donald Burleson, right at your shop!

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals. Feel free to ask questions on our Oracle forum.
Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.
Errata? Oracle technology is changing and we strive to update our BC Oracle support information. If you find an error or have a suggestion for improving our content, we would appreciate your feedback. Just e-mail:
and include the URL for the page.

Burleson Consulting

The Oracle of Database Support
Oracle Performance Tuning
Remote DBA Services

Copyright © 1996 - 2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational

��