Managing Privileges and Roles

Typically, end users are granted object privileges. An object privilege allows a user to perform a particular action on a specific table, view, sequence, procedure, function, or package. Depending on the type of object, there are different types of object privileges. Table 13 - 1 summarizes the object privileges available for each type of object.

Object Privilege	Table	View	Sequence	Procedure (1))
ALTER	_/		_/
DELETE	_/	_/
EXECUTE				_/
INDEX	_/ (2)
INSERT	_/	_/
REFERENCES	_/ (2)
SELECT	_/	_/ (3)	_/
UPDATE	_/	_/

Table 13 - 1. Object Privileges

1 "Procedure" refers to standalone stored procedures, functions, and public package constructs.
2 Privilege cannot be granted to a role.
3 Can also be granted for snapshots.

Table 13 - 2 lists the SQL statements permitted by the object privileges listed in Table 13 - 1.

As you implement and test your application, you should create each of these roles and test the usage scenario for each role to be certain that the users of your application will have proper access to the database. After completing your tests, you should coordinate with the administrator of the application to ensure that each user is assigned the proper roles.

Object Privilege	SQL Statements Permitted
ALTER	ALTER object (table or sequence) CREATE TRIGGER ON object (tables only)
DELETE	DELETE FROM object (table or view
EXECUTE	EXECUTE object (procedure or function) References to public package variables
INDEX	CREATE INDEX ON object (table or view)
INSERT	INSERT INTO object (table or view)
REFERENCES	CREATE or ALTER TABLE statement defining a FOREIGN KEY integrity constraint on object (tables only)
SELECT	SELECT...FROM object (table, view, or snapshot) SQL statements using a sequence

Table 13 - 2. SQL Statements Permitted by Database Object Privileges

Creating a Role

CREATE ROLE clerk IDENTIFIED BY bicentennial;

If you are granted a role protected by a password, you can enable or disable the role only by supplying the proper password for the role using a SET ROLE command (see for more information). Alternatively, roles can be created so that role use is authorized using information from the operating system. For more information about use of the operating system for role authorization, see the Oracle7 Server Administrator's Guide.

If a role is created without any protection, the role can be enabled or disabled by any grantee.

Database applications usually use the role authorization feature to specifically enable an application role and disable all other roles of a user. This way, the user cannot use privileges (from a role) intended for another application. With ad hoc query tools (such as SQL*Plus or Server Manager), users can explicitly enable only the roles for which they are authorized (that is, they know the password or are authorized by the operating system). See for more information.

When you create a new role, the name that you use must be unique among existing usernames and role names of the database. Roles are not contained in the schema of any user.

Immediately after creation, a role has no privileges associated with it. To associate privileges with a new role, you must grant privileges or other roles to the newly created role.

Privileges Required to Create Roles

Enabling and Disabling Roles

When to Enable Roles

Privileges granted directly to a user are always available to the user; therefore, directly granted privileges cannot be selectively enabled and disabled depending on a user's current task. Alternatively, privileges granted to a role can be selectively made available for any user granted the role. The enabling of roles never affects privileges explicitly granted to a user. The following sections explain how a user's roles can be selectively enabled (and disabled).

Default Roles

Each user has a list of zero, or one or more default roles. Any role directly granted to a user can potentially be a default role of the user; an indirectly granted role (a role that is granted to a role) cannot be a default role; only directly granted roles can be default roles of a user.

The number of default roles for a user should not exceed the maximum number of enabled roles that are allowed per user (as specified by the initialization parameter MAX_ENABLED_ROLES); if the number of default roles for a user exceeds this maximum, errors are returned when the user attempts a connection, and the user's connection is not allowed.

Note: A default role is automatically enabled for a user when the user creates a session. Placing a role in a user's list of default roles bypasses authentication for the role, whether it is authorized using a password or the operating system.

A user's list of default roles can be set and altered using the SQL command ALTER USER. If the user's list of default roles is specified as ALL, every role granted to a user is automatically added to the user's list of default roles. Only subsequent modification of a user's default role list can remove newly granted roles from a user's list of default roles.

Modifications to a user's default role list only apply to sessions created after the alteration or role grant; neither method applies to a session in progress at the time of the user alteration or role grant.

Explicitly Enabling Roles

When you enable a role that contains other roles, all the indirectly granted roles are specifically enabled. Each indirectly granted role can be explicitly enabled or disabled for a user.

If a role is protected by a password, the role can only be enabled by indicating the role's password in the SET ROLE statement. If the role is not protected by a password, the role can be enabled with a simple SET ROLE statement. For example, assume that Morris' security domain is as follows:

• He is granted three roles: PAYROLL_CLERK (password BICENTENNIAL), ACCTS_PAY (password GARFIELD), and ACCTS_REC (identified externally). The PAYROLL_CLERK role includes the indirectly granted role PAYROLL_REPORT (identified externally).

• His only default role is PAYROLL_CLERK.

SET ROLE accts_pay IDENTIFIED BY garfield, accts_rec;

Notice in the first statement that multiple roles can be enabled in a single SET ROLE statement. The ALL and ALL EXCEPT options of the SET ROLE command also allow several roles granted directly to the user to be enabled in one statement:

SET ROLE ALL EXCEPT payroll_clerk;

This statement shows the use of the ALL EXCEPT option of the SET ROLE command. Use this option when you want to enable most of a user's roles and only disable one or more. Similarly, all of Morris' roles can be enabled by the following statement:

SET ROLE ALL;

When using the ALL or ALL EXCEPT options of the SET ROLE command, all roles to be enabled either must not require a password, or must be authenticated using the operating system. If a role requires a password, the SET ROLE ALL or ALL EXCEPT statement is rolled back and an error is returned.

A user can also explicitly enable any indirectly granted roles granted to him or her via an explicit grant of another role. For example, Morris can issue the following statement:

SET ROLE payroll_report;

Privileges Required to Explicitly Enable Roles Any user can use the SET ROLE command to enable any granted roles, provided the grantee supplies role passwords, when necessary.

Enabling and Disabling Roles When OS_ROLES=TRUE

When OS_ROLES is set to TRUE, a user can enable as many roles as specified by the initialization parameter MAX_ENABLED_ROLES. For more information about use of the operating system for role authorization, see the Oracle7 Server Administrator's Guide.

Dropping Roles

Because the creation of objects is not dependent upon the privileges received via a role, no cascading effects regarding objects need to be considered when dropping a role (for example, tables or other objects are not dropped when a role is dropped).

Drop a role using the SQL command DROP ROLE, as shown in the following example.

DROP ROLE clerk;

Privileges Required to Drop Roles

Granting and Revoking Privileges and Roles

Granting System Privileges and Roles

GRANT create session, accts_pay
   TO jward, finance;

Object privileges cannot be granted along with system privileges and roles in the same GRANT statement.

The ADMIN OPTION A system privilege or role can be granted with the ADMIN OPTION. (This option is not valid when granting a role to another role.) A grantee with this option has several expanded capabilities:

• The grantee can grant or revoke the system privilege or role to or from any user or other role in the database. (A user cannot revoke a role from himself.)

• The grantee can further grant the system privilege or role with the ADMIN OPTION.

• The grantee of a role can alter or drop the role.

When a user creates a role, the role is automatically granted to the creator with the ADMIN OPTION.

Assume that you grant the NEW_DBA role to MICHAEL with the following statement:

GRANT new_dba TO michael WITH ADMIN OPTION;

The user MICHAEL cannot only use all of the privileges implicit in the NEW_DBA role, but can grant, revoke, or drop the NEW_DBA role as necessary.

Privileges Required to Grant System Privileges or Roles To grant a system privilege or role, the grantor requires the ADMIN OPTION for all system privileges and roles being granted. Additionally, any user with the GRANT ANY ROLE system privilege can grant any role in a database.

Granting Object Privileges

GRANT select, insert, delete ON emp TO jward, tsmith;

To grant the INSERT object privilege for only the ENAME and JOB columns of the EMP table to the users JWARD and TSMITH, enter the following statement:

GRANT insert(ename, job) ON emp TO jward, tsmith;

To grant all object privileges on the SALARY view to the user WALLEN, use the ALL short cut, as in

GRANT ALL ON salary TO wallen;

System privileges and roles cannot be granted along with object privileges in the same GRANT statement.

The GRANT OPTION An object privilege can be granted to a user with the GRANT OPTION. This special privilege allows the grantee several expanded privileges:

• The grantee can grant the object privilege to any user or any role in the database.

• The grantee can also grant the object privilege to other users, with or without the GRANT OPTION.

• If the grantee receives object privileges for a table with the GRANT OPTION and the grantee has the CREATE VIEW or the CREATE ANY VIEW system privilege, the grantee can create views on the table and grant the corresponding privileges on the view to any user or role in the database.

Specifically note that the GRANT OPTION is not valid when granting an object privilege to a role. Oracle prevents the propagation of object privileges via roles so that grantees of a role cannot propagate object privileges received via roles.

Privileges Required to Grant Object Privileges To grant an object privilege, the grantor must either

• be the owner of the object being specified, or

• have been granted the object privileges being granted with the GRANT OPTION

Revoking System Privileges and Roles

REVOKE create table, accts_rec FROM tsmith, finance;

The ADMIN OPTION for a system privilege or role cannot be selectively revoked; the privilege or role must be revoked and then the privilege or role regranted without the ADMIN OPTION.

Privileges Required to Revoke System Privileges and Roles Any user with the ADMIN OPTION for a system privilege or role can revoke the privilege or role from any other database user or role (the user does not have to be the user that originally granted the privilege or role). Additionally, any user with the GRANT ANY ROLE can revoke any role.

Revoking Object Privileges

REVOKE select, insert ON emp
   FROM jward, tsmith;

A grantor could also revoke all privileges on the table DEPT (even if only one privilege was granted) that he or she granted to the role HUMAN_RESOURCES by entering the following statement:

REVOKE ALL ON dept FROM human_resources;

This statement would only revoke the privileges that the grantor authorized, not the grants made by other users. The GRANT OPTION for an object privilege cannot be selectively revoked; the object privilege must be revoked and then regranted without the GRANT OPTION. A user cannot revoke object privileges from him or herself.

Revoking Column-Selective Object Privileges Recall that column-specific INSERT, UPDATE, and REFERENCES privileges can be granted for tables or views; however, it is not possible to revoke column-specific privileges selectively with a similar REVOKE statement. Instead, the grantor must first revoke the object privilege for all columns of a table or view, and then selectively grant the new column-specific privileges again.

For example, assume the role HUMAN_RESOURCES has been granted the UPDATE privilege on the DEPTNO and DNAME columns of the table DEPT. To revoke the UPDATE privilege on just the DEPTNO column, enter the following two statements:

REVOKE UPDATE ON dept FROM human_resources;
GRANT UPDATE (dname) ON dept TO human_resources;

The REVOKE statement revokes the UPDATE privilege on all columns of the DEPT table from the role HUMAN_RESOURCES. The GRANT statement regrants the UPDATE privilege on the DNAME column to the role HUMAN_RESOURCES.

Revoking the REFERENCES Object Privilege If the grantee of the REFERENCES object privilege has used the privilege to create a foreign key constraint (that currently exists), the grantor can only revoke the privilege by specifying the CASCADE CONSTRAINTS option in the REVOKE statement:

REVOKE REFERENCES ON dept FROM jward CASCADE CONSTRAINTS;

Any foreign key constraints currently defined that use the revoked REFERENCES privilege are dropped when the CASCADE CONSTRAINTS option is specified.

Privileges Required to Revoke Object Privileges To revoke an object privilege, the revoker must be the original grantor of the object privilege being revoked.

Cascading Effects of Revoking Privileges

System Privileges There are no cascading effects when revoking a system privilege related to DDL operations, regardless of whether the privilege was granted with or without the ADMIN OPTION. For example, assume the following:

1. You grant the CREATE TABLE system privilege to JWARD with the WITH OPTION.

2. JWARD creates a table.

3. JWARD grants the CREATE TABLE system privilege to TSMITH.

4. TSMITH creates a table.

5. You revoke the CREATE TABLE system privilege from JWARD.

6. JWARD's table continues to exist. TSMITH continues to have the CREATE TABLE system privilege and his table still exists.

Object Privileges Revoking an object privilege can have several types of cascading effects that should be investigated before a REVOKE statement is issued:

• Object definitions that depend on a DML object privilege can be affected if the DML object privilege is revoked. For example, assume the procedure body of the TEST procedure includes a SQL statement that queries data from the EMP table. If the SELECT privilege on the EMP table is revoked from the owner of the TEST procedure, the procedure can no longer be executed successfully.

• Object definitions that require the ALTER and INDEX DDL object privileges are not affected if the ALTER or INDEX object privilege is revoked. For example, if the INDEX privilege is revoked from a user that created an index on someone else's table, the index continues to exist after the privilege is revoked.

• When a REFERENCES privilege for a table is revoked from a user, any foreign key integrity constraints defined by the user that require the dropped REFERENCES privilege are automatically dropped. For example, assume that the user JWARD is granted the REFERENCES privilege for the DEPTNO column of the DEPT table and creates a foreign key on the DEPTNO column in the EMP table that references the DEPTNO column. If the REFERENCES privilege on the DEPTNO column of the DEPT table is revoked, the foreign key constraint on the DEPTNO column of the EMP table is dropped in the same operation.

• The object privilege grants propagated using the GRANT OPTION are revoked if a grantor's object privilege is revoked. For example, assume that USER1 is granted the SELECT object privilege with the GRANT OPTION, and grants the SELECT privilege on EMP to USER2. Subsequently, the SELECT privilege is revoked from USER1. This revoke is cascaded to USER2 as well. Any objects that depended on USER1's and USER2's revoked SELECT privilege can also be affected.

Granting to, and Revoking from, the User Group PUBLIC

You should only grant a privilege or role to PUBLIC if every database user requires the privilege or role. This recommendation restates the general rule that at any given time, each database user should only have the privileges required to successfully accomplish the current task.

Revokes from PUBLIC can cause significant cascading effects, depending on the privilege that is revoked. If any privilege related to a DML operation is revoked from PUBLIC (for example, SELECT ANY TABLE, UPDATE ON emp), all procedures in the database (including functions and packages) must be reauthorized before they can be used again. Therefore, use caution when granting DML-related privileges to PUBLIC.

When Do Grants and Revokes Take Effect?

• All grants/revokes of privileges (system and object) to anything (users, roles, and PUBLIC) are immediately observed.

• All grants/revokes of roles to anything (users, other roles, PUBLIC) are only observed when a current user session issues a SET ROLE statement to re-enable the role after the grant/revoke, or when a new user session is created after the grant/revoke.

How Do Grants Affect Dependent Objects?