Skip Headers
Oracle® Database Security Guide
12c Release 1 (12.1)

E48135-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

4 Configuring Privilege and Role Authorization

This chapter contains:

About Privileges and Roles

Authorization includes primarily two processes:

  • Permitting only certain users to access, process, or alter data.

  • Applying varying limitations on user access or actions. The limitations placed on (or removed from) users can apply to objects such as schemas, tables, or rows.

A user privilege is the right to run a particular type of SQL statement, or the right to access an object that belongs to another user, run a PL/SQL package, and so on. The types of privileges are defined by Oracle Database.

Roles are created by users (usually administrators) to group together privileges or other roles. They are a way to facilitate the granting of multiple privileges or roles to users.

This section describes the following general categories:

Who Should Be Granted Privileges?

You grant privileges to users so they can accomplish tasks required for their jobs. You should grant a privilege only to a user who requires that privilege to accomplish the necessary work. Excessive granting of unnecessary privileges can compromise security. For example, you never should grant SYSDBA or SYSOPER administrative privilege to users who do not perform administrative tasks.

A user can receive a privilege in two ways:

  • You can grant privileges to users explicitly. For example, you can explicitly grant to user psmith the privilege to insert records into the employees table.

  • You can grant privileges to a role (a named group of privileges), and then grant the role to one or more users. For example, you can grant the privileges to select, insert, update, and delete records from the employees table to the role named clerk, which in turn you can grant to users psmith and robert.

Because roles allow for easier and better management of privileges, you should usually grant privileges to roles and not to specific users.

See Also:

How the Oracle Multitenant Option Affects Privileges

In a multitenant environment, all users, including common users, can exercise their privileges only within the current container. However, a user connected to the root can perform certain operations that affect other pluggable databases (PDBs). These operations include ALTER PLUGGABLE DATABASE, CREATE USER, CREATE ROLE, and ALTER USER. The common user must possess the common privilege grants that enable these operations. A common user connected to the root can see metadata pertaining to PDBs by way of the container data objects (for example, multitenant container database (CDB) views and V$ views) in the root, provided that the common user has been granted privileges required to access these views and his CONTAINER_DATA attribute has been set to allow seeing data about various PDBs. The common user cannot query tables or views in a PDB.

Common users cannot exercise their privileges across other PDBs. They must first switch to the PDB that they want, and then exercise their privileges from there. To switch to a different container, the common user must have the SET CONTAINER privilege. Alternatively, the common user can start a new database session whose initial current container is the container this user wants, relying on the CREATE SESSION privilege in that PDB.

Be aware that commonly granted privileges that have been made to common users may interfere with the security configured for individual PDBs.

See Also:

Managing Administrative Privileges

This section contains:

About Administrative Privileges

For better separation of duty, Oracle Database provides a set of administrative privileges that are tailored for specific administrative tasks: backup and recovery, Oracle Data Guard, and encryption key management for transparent data management (TDE). You can find the administrative privileges that a user has by querying the V$PWFILE_USERS dynamic view, which lists users in the password file.

In previous releases, you needed to have the SYSDBA administrative privilege to perform these tasks. To support backward compatibility, you still can use the SYSDBA privilege for these tasks, but Oracle recommends that you use the privileges described in this section.

The use of administrative privileges is mandatorily audited. See "Auditing Administrative Users" for more information.

Granting Administrative Privileges to Users

As with all powerful privileges, only grant administrative privileges to trusted users. However, be aware that there is a restriction for users whose names have non-ASCII characters (for example, the umlaut in the name HÜBER). You can grant administrative privileges to these users, but if the Oracle database instance is down, the authentication using the granted privilege is not supported if the user name has non-ASCII characters. If the database instance is up, then the authentication is supported.

SYSDBA and SYSOPER Administrative Privileges for Standard Database Operations

The SYSDBA and SYSOPER administrative privileges enable you to perform a variety of standard database operations, such as database startups and shutdowns, creating the server parameter file (SPFILE), or altering the database archive log.

See Also:

Oracle Database Administrator's Guide for detailed information about the SYSDBA and SYSOPER administrative privileges

SYSBACKUP Administrative Privilege for Backup and Recovery Operations

To perform backup and recovery operations from either Oracle Recovery Manager (RMAN) and or through SQL*Plus, log in with the SYSBACKUP administrative privilege. To connect to the database as SYSBACKUP using a password, you must create a password file for it. See Oracle Database Administrator's Guide for more information about creating password files.

This privilege enables you to perform the following operations:

  • STARTUP

  • SHUTDOWN

  • ALTER DATABASE

  • ALTER SYSTEM

  • ALTER SESSION

  • ALTER TABLESPACE

  • CREATE CONTROLFILE

  • CREATE ANY DIRECTORY

  • CREATE ANY TABLE

  • CREATE ANY CLUSTER

  • CREATE PFILE

  • CREATE RESTORE POINT (including GUARANTEED restore points)

  • CREATE SESSION

  • CREATE SPFILE

  • DROP DATABASE

  • DROP TABLESPACE

  • DROP RESTORE POINT (including GUARANTEED restore points)

  • FLASHBACK DATABASE

  • RESUMABLE

  • UNLIMITED TABLESPACE

  • SELECT ANY DICTIONARY

  • SELECT ANY TRANSACTION

  • SELECT

    • X$ tables (that is, the fixed tables)

    • V$ and GV$ views (that is, the dynamic performance views)

    • APPQOSSYS.WLM_CLASSIFIER_PLAN

    • SYSTEM.LOGSTDBY$PARAMETERS

  • DELETE/INSERT

    • SYS.APPLY$_SOURCE_SCHEMA

    • SYSTEM.LOGSTDBY$PARAMETERS

  • EXECUTE

    • SYS.DBMS_BACKUP_RESTORE

    • SYS.DBMS_RCVMAN

    • SYS.DBMS_DATAPUMP

    • SYS.DBMS_IR

    • SYS.DBMS_PIPE

    • SYS.SYS_ERROR

    • SYS.DBMS_TTS

    • SYS.DBMS_TDB

    • SYS.DBMS_PLUGTS

    • SYS.DBMS_PLUGTSP

  • SELECT_CATALOG_ROLE

In addition, the SYSBACKUP privilege enables you to connect to the database even if the database is not open.

See Also:

Oracle Database Backup and Recovery User's Guide for more information about backup and recovery operations

SYSDG Administrative Privilege for Oracle Data Guard Operations

Log in as user SYSDG with the SYSDG administrative privilege to perform Data Guard operations. You can use this privilege with either Data Guard Broker or the DGMGRL command-line interface. In order to connect to the database as SYSDG using a password, you must create a password file for it. See Oracle Database Administrator's Guide for more information about creating password files.

The SYSDG privilege enables the following operations:

  • STARTUP

  • SHUTDOWN

  • ALTER DATABASE

  • ALTER SESSION

  • ALTER SYSTEM

  • CREATE RESTORE POINT (including GUARANTEED restore points)

  • CREATE SESSION

  • DROP RESTORE POINT (including GUARANTEED restore points)

  • FLASHBACK DATABASE

  • SELECT ANY DICTIONARY

  • SELECT

    • X$ tables (that is, the fixed tables)

    • V$ and GV$ views (that is, the dynamic performance views)

    • APPQOSSYS.WLM_CLASSIFIER_PLAN

  • DELETE

    • APPQOSSYS.WLM_CLASSIFIER_PLAN

  • EXECUTE

    • SYS.DBMS_DRS

In addition, the SYSDG privilege enables you to connect to the database even if it is not open.

See Also:

Oracle Data Guard Concepts and Administration for more information about Oracle Data Guard

SYSKM Administrative Privilege for Transparent Data Encryption

The SYSKM administrative privilege enables the SYSKM user to manage Transparent Data Encryption wallet operations. In order to connect to the database as SYSKM using a password, you must create a password file for it. See Oracle Database Administrator's Guide for more information about creating password files.

The SYSKM administrative privilege enables the following operations:

  • ADMINISTER KEY MANAGEMENT

  • CREATE SESSION

  • SELECT (only when database is open)

    • SYS.V$ENCRYPTED_TABLESPACES

    • SYS.V$ENCRYPTION_WALLET

    • SYS.V$WALLET

    • SYS.V$ENCRYPTION_KEYS

    • SYS.V$CLIENT_SECRETS

    • SYS.DBA_ENCRYPTION_KEY_USAGE

In addition, the SYSKM privilege enables you to connect to the database even if it is not open.

See Also:

Oracle Database Advanced Security Guide for more information about Transparent Data Encryption

Managing System Privileges

This section contains:

About System Privileges

A system privilege is the right to perform a particular action or to perform an action on any schema objects of a particular type. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges.

There are over 100 distinct system privileges. Each system privilege allows a user to perform a particular database operation or class of database operations. Remember that system privileges are very powerful. Only grant them when necessary to roles and trusted users of the database. You can find a complete list of system privileges and their descriptions in Oracle Database SQL Language Reference. To find the system privileges that have been granted to a user, you can query the DBA_SYS_PRIVS data dictionary view.

Why Is It Important to Restrict System Privileges?

This section contains:

About the Importance of Restricting System Privileges

Because system privileges are so powerful, by default the database is configured to prevent typical (non-administrative) users from exercising the ANY system privileges (such as UPDATE ANY TABLE) on the data dictionary. See "Guidelines for Securing User Accounts and Privileges" for additional guidelines about restricting system privileges.

Restricting System Privileges by Securing the Data Dictionary

To secure the data dictionary, set the O7_DICTIONARY_ACCESSIBILITY initialization parameter to FALSE, which is the default value. This feature is called the dictionary protection mechanism.

The O7_DICTIONARY_ACCESSIBILITY initialization parameter controls restrictions on system privileges when you upgrade from Oracle Database release 7 to Oracle8i and later releases. If the parameter is set to TRUE, then access to objects in the SYS schema is allowed (Oracle Database release 7 behavior). Because the ANY privilege applies to the data dictionary, a malicious user with ANY privilege could access or alter data dictionary tables.

To set the O7_DICTIONARY_ACCESSIBILTY initialization parameter, modify it in the initSID.ora file. Alternatively, you can log on to SQL*Plus as user SYS with the SYSDBA administrative privilege and then enter an ALTER SYSTEM statement, assuming you have started the database using a server parameter file (SPFILE).

Example 4-1 shows how to set the O7_DICTIONARY_ACCESSIBILTY initialization parameter to FALSE by issuing an ALTER SYSTEM statement in SQL*Plus.

Example 4-1 Setting O7_DICTIONARY_ACCESSIBILITY to FALSE

ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE=SPFILE;

When you set O7_DICTIONARY_ACCESSIBILITY to FALSE, system privileges that enable access to objects in any schema (for example, users who have ANY privileges, such as CREATE ANY PROCEDURE) do not allow access to objects in the SYS schema. This means that access to the objects in the SYS schema (data dictionary objects) is restricted to users who connect using the SYSDBA administrative privilege. Remember that the SYS user must log in with either the SYSDBA or SYSOPER privilege; otherwise, an ORA-28009: connection as SYS should be as SYSDBA or SYSOPER error is raised. If you set O7_DICTIONARY_ACCESSIBILITY to TRUE, then you would be able to log in to the database as user SYS without having to specify the SYSDBA or SYSOPER privilege.

System privileges that provide access to objects in other schemas do not give other users access to objects in the SYS schema. For example, the SELECT ANY TABLE privilege allows users to access views and tables in other schemas, but does not enable them to select dictionary objects (base tables of dynamic performance views, regular views, packages, and synonyms). You can, however, grant these users explicit object privileges to access objects in the SYS schema.

See Oracle Database Reference for more information about the O7_DICTIONARY_ACCESSIBILITY initialization parameter.

Allowing Access to Objects in the SYS Schema

Users with explicit object privileges or those who connect with administrative privileges (SYSDBA) can access objects in the SYS schema.

Table 4-1 lists roles that you can grant to users who need access to objects in the SYS schema.

Table 4-1 Roles to Allow Access to SYS Schema Objects

Role Description

SELECT_CATALOG_ROLE

Grant this role to allow users SELECT privileges on data dictionary views.

EXECUTE_CATALOG_ROLE

Grant this role to allow users EXECUTE privileges for packages and procedures in the data dictionary.

DELETE_CATALOG_ROLE

Grant this role to allow users to delete records from the system audit tables SYS.AUD$ and SYS.FGA_LOG$.

Note: The DELETE_CATALOG_ROLE role is deprecated in Oracle Database 12c Release 1 (12.1).


Additionally, you can grant the SELECT ANY DICTIONARY system privilege to users who require access to tables created in the SYS schema. This system privilege allows query access to any object in the SYS schema, including tables created in that schema. It must be granted individually to each user requiring the privilege. It is not included in GRANT ALL PRIVILEGES, but it can be granted through a role.

Caution:

You should grant these roles and the SELECT ANY DICTIONARY system privilege with extreme care, because the integrity of your system can be compromised by their misuse.

Granting and Revoking a System Privilege

You can grant or revoke system privileges to users and roles. If you grant system privileges to roles, then you can use the roles to exercise system privileges. For example, roles permit privileges to be made selectively available. Ensure that you follow the separation of duty guidelines described in "Guidelines for Securing Roles".

Use either of the following methods to grant or revoke system privileges to or from users and roles:

  • GRANT and REVOKE SQL statements

  • Oracle Enterprise Manager Cloud Control

Who Can Grant or Revoke System Privileges?

Only two types of users can grant system privileges to other users or revoke those privileges from them:

  • Users who were granted a specific system privilege with the ADMIN OPTION

  • Users with the system privilege GRANT ANY PRIVILEGE

For this reason, only grant these privileges to trusted users.

About ANY Privileges and the PUBLIC Role

System privileges that use the ANY keyword enable you to set privileges for an entire category of objects in the database. For example, the CREATE ANY PROCEDURE system privilege permits a user to create a procedure anywhere in the database. The behavior of an object created by users with the ANY privilege is not restricted to the schema in which it was created. For example, if user JSMITH has the CREATE ANY PROCEDURE privilege and creates a procedure in the schema JONES, then the procedure will run as JONES. However, JONES may not be aware that the procedure JSMITH created is running as him (JONES). If JONES has DBA privileges, letting JSMITH run a procedure as JONES could pose a security violation.

The PUBLIC role is a special role that every database user account automatically has when the account is created. By default, it has no privileges granted to it, but it does have numerous grants, mostly to Java objects. You cannot drop the PUBLIC role, and a manual grant or revoke of this role has no meaning, because the user account will always assume this role. Because all database user accounts assume the PUBLIC role, it does not appear in the DBA_ROLES and SESSION_ROLES data dictionary views.

You can grant privileges to the PUBLIC role, but remember that this makes the privileges available to every user in the Oracle database. For this reason, be careful about granting privileges to the PUBLIC role, particularly powerful privileges such as the ANY privileges and system privileges. For example, if JSMITH has the CREATE PUBLIC SYNONYM system privilege, he could redefine an interface that he knows everyone else uses, and then point to it with the PUBLIC SYNONYM that he created. Instead of accessing the correct interface, users would access the interface of JSMITH, which could possibly perform illegal activities such as stealing the login credentials of users.

These types of privileges are very powerful and could pose a security risk if given to the wrong person. Be careful about granting privileges using ANY or PUBLIC. As with all privileges, you should follow the principles of "least privilege" when granting these privileges to users.

To protect the data dictionary (the contents of the SYS schema) against users who have one or more of the powerful ANY system privileges, set the O7_DICTIONARY_ACCESSIBILITY initialization parameter to FALSE. You can set this parameter by using an ALTER SYSTEM statement or by modifying the initSID.ora file.

Managing Commonly and Locally Granted Privileges

This section contains:

See Also:

Oracle Database Concepts for a conceptual overview of common and local privilege grants

About Commonly and Locally Granted Privileges

In a multitenant environment, both common users and local users can grant privileges to one another. Privileges by themselves are neither common nor local. How the privileges are applied depends on whether the privilege is granted commonly or granted locally.

For commonly granted privileges:

  • A privilege that is granted commonly can be used in every existing and future container.

  • Only common users can grant privileges commonly, and only if the grantee is common.

  • A common user can grant privileges to another common user or to a common role.

  • The grantor must be connected to the root and must specify CONTAINER=ALL in the GRANT statement.

  • Both system and object privileges can be commonly granted. (Object privileges become actual only with regard to the specified object.)

  • When a common user connects to or switches to a given container, this user's ability to perform various activities (such as creating a table) is controlled by both the commonly granted and locally granted privileges this user has.

  • Do not grant privileges to PUBLIC commonly.

For locally granted privileges:

  • A privilege granted locally can be used only in the container in which it was granted. When the privilege is granted in the root, it applies only to the root.

  • Both common users and local users can grant privileges locally.

  • A common user and a local user can grant privileges to other common or local roles.

  • The grantor must be connected to the container and must specify CONTAINER=CURRENT in the GRANT statement.

  • Any user can grant a privilege locally to any other user or role (both common and local) or to the PUBLIC role.

See Also:

How Commonly Granted System Privileges Work

Users can exercise system privileges only within the PDB in which they were granted. For example, if a system privilege is locally granted to a common user A in a PDB B, user A can exercise that privilege only while connected to PDB B.

System privileges can apply in the root and in all existing and future PDBs if the following requirements are met:

  • The system privilege grantor is a common user and the grantee is a common user, a common role, or the PUBLIC role. Do not commonly grant system privileges to the PUBLIC role, because this in effect makes the system privilege available to all users.

  • The system privilege grantor possesses the ADMIN OPTION for the commonly granted privilege

  • The GRANT statement must contain the CONTAINER=ALL clause.

Example 4-2 shows how to perform a common privilege grant for the common user c##hr_admin so that he can create tables in any PDB in the CDB.

Example 4-2 Granting a System Privilege to a Common User

CONNECT SYSTEM@root 
Enter password: password
Connected.

GRANT CREATE ANY TABLE TO c##hr_admin CONTAINER=ALL;

How Commonly Granted Object Privileges Work

An object privilege on a common object applies only to that object as well as all metadata links or object links that are associated with it in the root and in all PDBs to which the grantor can connect (including future PDBs) if the following requirements are met:

  • The object privilege grantor is a common user and the grantee is a common user, a common role, or the PUBLIC role.

  • The object privilege grantor possesses the commonly granted GRANT OPTION for the commonly granted privilege

  • The GRANT statement contains the CONTAINER=ALL clause.

Example 4-3 shows how to grant an object privilege to the common user c##hr_admin so that he can select from the user_data table in the current PDB.

Example 4-3 Granting an Object Privilege to a Common User

CONNECT SYSTEM@hr_pdg
Enter password: password
Connected.

GRANT READ ON user_data TO c##hr_admin CONTAINER=CURRENT;

See Also:

Granting or Revoking Privileges to Access a PDB

To grant a privilege in a multitenant environment, include the CONTAINER clause in the GRANT or REVOKE statement. Setting CONTAINER to ALL applies the privilege to all existing and future containers; setting it to CURRENT applies the privilege to the local container only. Except for the root, omitting the CONTAINER clause applies the privilege to the local container. If you issue the GRANT statement from the root and omit the CONTAINER clause, then the privilege is applied locally.

Example 4-4 shows how to commonly grant the CREATE TABLE privilege to common user c##hr_admin so that this user can use this privilege in all existing and future containers.

Example 4-4 Granting a Privilege in a Multitenant Environment

CONNECT SYSTEM@root
Enter password: password
Connected.

GRANT CREATE TABLE TO c##hr_admin CONTAINER=ALL;

See Also:

Oracle Database SQL Language Reference for detailed information about the GRANT statement

Enabling Common Users to View Information About Container Objects

This section contains:

Viewing Data Pertaining to Root, CDB, and PDBs While Connected to Root

In a multitenant environment, the X$ table and the V$, GV$ and CDB_* view information, which contain information about the root and the entire CDB, can be restricted to one or more containers when common users perform queries. This is useful when you do not want to expose sensitive information about other PDBs. To enable this functionality, Oracle Database provides these tables and views as container data objects. You can find if a specific table or view is a container data object by querying the TABLE_NAME, VIEW_NAME, and CONTAINER_DATA columns of the USER_|DBA_|ALL_VIEWS|TABLES dictionary views.

To find information about the default (user-level) and object-specific CONTAINER_DATA attributes, query the CDB_CONTAINER_DATA data dictionary view, as shown in Example 4-5.

Example 4-5 Finding Information about CONTAINER_DATA Attributes

COLUMN USERNAME FORMAT A15
COLUMN DEFAULT_ATTR FORMAT A7
COLUMN OWNER FORMAT A15
COLUMN OBJECT_NAME FORMAT A15
COLUMN ALL_CONTAINERS FORMAT A3
COLUMN CONTAINER_NAME FORMAT A10
COLUMN CON_ID FORMAT A6

SELECT USERNAME, DEFAULT_ATTR, OWNER, OBJECT_NAME, ALL_CONTAINERS, CONTAINER_NAME, CON_ID FROM CDB_CONTAINER_DATA ORDER BY OBJECT_NAME;

USERNAME        DEFAULT OWNER           OBJECT_NAME     ALL CONTAINERS CON_ID
--------------- ------- --------------- --------------- --- ---------- ------
C##HR_ADMIN     N       SYS             V$SESSION       N   CDB$ROOT        1
C##HR_ADMIN     N       SYS             V$SESSION       N   SALESPDB        1
C##HR_ADMIN     Y                                       N   HRPDB           1
C##HR_ADMIN     Y                                       N   CDB$ROOT        1
DBSNMP          Y                                       Y                   1
SYSTEM          Y                                       Y                   1

See Also:

Enabling Common Users to Access Data in Specific PDBs

To enable common users to access data about specific PDBs, you must run the ALTER USER statement in the root.

Example 4-6 shows how to run the ALTER USER statement to enable the common user c##hr_admin to view information pertaining to the CDB$ROOT, SALES_PDB, and hrpdb containers in all container data objects that he can access, using the V$SESSION view.

Example 4-6 Enabling a Common User to View Specific Object Data

CONNECT SYSTEM@root
Enter password: password
Connected.

ALTER USER c##hr_admin
SET CONTAINER_DATA = (CDB$ROOT, SALESPDB, HRPDB) 
FOR V$SESSION CONTAINER=CURRENT;

In this specification:

  • CDB$ROOT, SALES_PDB, hrpdb refer to the containers that must be accessible to user c##hr_admin. You must include CDB$ROOT.

  • FOR V$SESSION specifies the CONTAINER_DATA dynamic view, which common user c##hr_admin will query.

  • CONTAINER = CURRENT must be specified because when you are connected to the root, CONTAINER=ALL is the default for the ALTER USER statement, but modification of the CONTAINER_DATA attribute must be restricted to the root.

See Also:

Oracle Database SQL Language Reference for detailed information about the ALTER USER statement

Managing Common Roles and Local Roles

This section contains:

About Common Roles and Local Roles

In a multitenant environment, a common role role is a role whose identity and password are created in the root and is known in all existing and future containers. All Oracle-supplied predefined roles are common roles.

A local role exists in only one PDB and can only be used within this PDB. It does not have any commonly granted privileges.

Note the following:

  • Common users can both create and grant common roles to other common and local users.

  • You can grant a common role to a common user either commonly or locally.

  • If you grant a common role to a local user, then the privileges of that common role apply only to the local user's PDB.

  • Local users cannot create common roles, but they can grant them to common and other local users.

See Also:

How Common Roles Work

Common roles are visible in every PDB in a multitenant environment. Commonly granted privileges that have been made to the common role apply in the root and all PDBs to which the grantor can connect, including PDBs that may be added later on, if the following requirements are met:

  • Both the grantor and the grantee are common users.

  • The grantor possesses the ADMIN OPTION for the common role that was granted.

  • The GRANT statement contains the CONTAINER=ALL clause.

If the common role contains locally granted privileges, then these privileges apply only within the PDB in which they were granted to the common role. A local role cannot be granted commonly.

For example, suppose the common user c##hr_mgr has been commonly granted the DBA role. This means that user c##hr_mgr can use the privileges associated with the DBA role in the root and in every PDB in the multitenant environment. However, if the common user c##hr_mgr has only been locally granted the DBA role for the hr_pdb PDB, then this user can only use the DBA role's privileges in the hr_pdb PDB.

How the PUBLIC Role Works in a Multitenant Environment

All grants that Oracle makes to the PUBLIC role are made locally. This enables you to revoke privileges or roles that have granted to the PUBLIC role individually in each PDB as needed. If you must grant any privileges to the PUBLIC role, then grant them locally. Never grant privileges to PUBLIC commonly.

See Also:

Privileges Required to Create, Modify, or Drop a Common Role

Only common users who have the commonly granted CREATE ROLE, ALTER ROLE, and DROP ROLE privileges can create, alter, or drop common roles. Common users can create local roles, too, but these roles are available only in the PDB in which they were created.

Creating a Common Role

To create a common role, follow these rules:

  • Ensure that you are in the root. You cannot create common roles from a PDB. To check if you are in the root, run the show con_name command. The output should be CDB$ROOT.

  • Ensure that the name that you give the common role starts with C## or c## and contains only ASCII or EDCDIC characters. Note that this requirement does not apply to the names of existing Oracle-supplied roles, such as DBA or RESOURCE.

  • Optionally, set the CONTAINER clause to ALL. As long as you are in the root, if you omit the CONTAINER = ALL clause, then by default the role is created as a common role.

Example 4-7 creates the c##sec_mgr common role, which has password authentication.

Example 4-7 Creating a Common Role

CONNECT SYSTEM@root
Enter password: password
Connected.

CREATE ROLE c##sec_admin IDENTIFIED BY password CONTAINER=ALL; 

Creating a Local Role

To create a local role, follow these rules:

  • To create a local role, you must be connected to the PDB in which you want to create the role, and have the CREATE ROLE privilege.

  • The name that you give the local role must not start with C## or c##.

  • You can include CONTAINER=CURRENT in the CREATE ROLE statement to specify the role as a local role. If you are connected to a PDB and omit this clause, then the CONTAINER=CURRENT clause is implied.

  • You cannot have common roles and local roles with the same name. However, you can use the same name for local roles in different PDBs. To find the names of existing roles, query the CDB_ROLES and DBA_ROLES data dictionary views.

Example 4-8 shows how to create a local role.

Example 4-8 Creating a Local Role

CONNECT SYSTEM@hrpdb
Enter password: password
Connected.

CREATE ROLE sec_admin CONTAINER=CURRENT; 

Granting or Revoking Common Roles and Local Roles

Common users can grant and revoke common roles to and from other common users. A local user can grant a common role to any user in a PDB, including common users, but this grant applies only within the PDB.

Example 4-9 shows how to grant the common user c##sec_admin the AUDIT_ADMIN common role for use in all containers.

Example 4-9 Granting a Common Role to a Common User for All Containers

CONNECT SYSTEM@root
Enter password: password
Connected.

GRANT AUDIT_ADMIN TO c##sec_admin CONTAINER=ALL;

Similarly, Example 4-10 shows how local user aud_admin can grant the common user c##sec_admin the AUDIT_ADMIN common role for use within the hrpdb PDB.

Example 4-10 Granting a Common Role to a Common User for the Current Container

CONNECT aud_admin@hrpdb
Enter password: password
Connected.

GRANT AUDIT_ADMIN TO c##sec_admin CONTAINER=CURRENT;

Example 4-11 shows how a local user aud_admin can revoke a role from a PDB. If you omit the CONTAINER clause, then CURRENT is implied.

Example 4-11 Revoking a Local Role

CONNECT aud_admin@hrpdb
Enter password: password
Connected.

REVOKE sec_admin FROM psmith CONTAINER=CURRENT;

Managing User Roles

This section contains:

About User Roles

This section contains:

What Are User Roles?

Managing and controlling privileges is easier when you use roles, which are named groups of related privileges that you grant as a group to users or other roles. Within a database, each role name must be unique, different from all user names and all other role names. Unlike schema objects, roles are not contained in any schema. Therefore, a user who creates a role can be dropped with no effect on the role.

The Functionality of Roles

Roles are useful for quickly and easily granting permissions to users. Although you can use Oracle Database-defined roles, you have more control and continuity if you create your own roles that contain only the privileges pertaining to your requirements. Oracle may change or remove the privileges in an Oracle Database-defined role.

Roles have the following functionality:

  • A role can be granted system or object privileges.

  • Any role can be granted to any database user.

  • Each role granted to a user is, at a given time, either enabled or disabled. A user's security domain includes the privileges of all roles currently enabled for the user and excludes the privileges of any roles currently disabled for the user. Oracle Database allows database applications and users to enable and disable roles to provide selective availability of privileges.

  • A role can be granted to other roles. However, a role cannot be granted to itself and cannot be granted circularly. For example, role role1 cannot be granted to role role2 if role role2 has previously been granted to role role1.

  • If a role is not password authenticated or a secure application role, then you can grant the role indirectly to the user. An indirectly granted role is a role granted to the user through another role that has already been granted to this user. For example, suppose you grant user psmith the role1 role. Then you grant the role2 and role3 roles to the role1 role. Roles role2 and role3 are now under role1. This means psmith has been indirectly granted the roles role2 and role3, in addition to the direct grant of role1. Enabling the direct role1 for psmith enables the indirect roles role2 and role3 for this user as well.

  • Optionally, you can make a directly granted role a default role. You enable or disable the default role status of a directly granted role by using the DEFAULT ROLE clause of the ALTER USER statement. Ensure that the DEFAULT ROLE clause refers only to roles that have been directly granted to the user. To find the directly granted roles for a user, query the DBA_ROLE_PRIVS data dictionary view. This view does not include the user's indirectly granted roles. To find roles that are granted to other roles, query the ROLE_ROLE_PRIVS view.

  • If the role is password authenticated or a secure application role, then you cannot grant it indirectly to the user, nor can you make it a default role. You only can grant this type of role directly to the user. Typically, you enable password authenticated or secure application roles by using the SET ROLE statement.

Properties of Roles and Why They Are Advantageous

Table 4-2 describes the properties of roles that enable easier privilege management within a database.

Table 4-2 Properties of Roles and Their Description

Property Description

Reduced privilege administration

Rather than granting the same set of privileges explicitly to several users, you can grant the privileges for a group of related users to a role, and then only the role must be granted to each member of the group.

Dynamic privilege management

If the privileges of a group must change, then only the privileges of the role need to be modified. The security domains of all users granted the group's role automatically reflect the changes made to the role.

Selective availability of privileges

You can selectively enable or disable the roles granted to a user. This allows specific control of a user's privileges in any given situation.

Application awareness

The data dictionary records which roles exist, so you can design applications to query the dictionary and automatically enable (or disable) selective roles when a user attempts to execute the application by way of a given user name.

Application-specific security

You can protect role use with a password. Applications can be created specifically to enable a role when supplied the correct password. Users cannot enable the role if they do not know the password.


Database administrators often create roles for a database application. You should grant a secure application role all privileges necessary to run the application. You then can grant the secure application role to other roles or users. An application can have several different roles, each granted a different set of privileges that allow for more or less data access while using the application.

The DBA can create a role with a password to prevent unauthorized use of the privileges granted to the role. Typically, an application is designed so that when it starts, it enables the proper role. As a result, an application user does not need to know the password for an application role.

See Also:

"How Roles Aid or Restrict DDL Usage" for information about restrictions for procedures

Typical Uses of Roles

In general, you create a role to serve one of two purposes:

Figure 4-1 and the sections that follow describe the two uses of roles.

Figure 4-1 Common Uses for Roles

Description of Figure 4-1 follows
Description of "Figure 4-1 Common Uses for Roles"

Common Uses of Application Roles

Grant an application role all privileges necessary to run a given database application. Then, grant the secure application role to other roles or to specific users. An application can have several different roles, with each role assigned a different set of privileges that allow for more or less data access while using the application.

Common Uses of User Roles

Create a user role for a group of database users with common privilege grant requirements. You can manage user privileges by granting secure application roles and privileges to the user role and then granting the user role to appropriate users.

How Roles Affect the Scope of a User's Privileges

Each role and user has its own unique security domain. The security domain of a role includes the privileges granted to the role plus those privileges granted to any roles that are granted to the role.

The security domain of a user includes privileges on all schema objects in the corresponding schema, the privileges granted to the user, and the privileges of roles granted to the user that are currently enabled. (A role can be simultaneously enabled for one user and disabled for another.) This domain also includes the privileges and roles granted to the role PUBLIC. The PUBLIC role represents all users in the database.

How Roles Work in PL/SQL Blocks

The use of roles in a PL/SQL block depends on whether it is an anonymous block or a named block (stored procedure, function, or trigger), and whether it executes with definer's rights or invoker's rights.

Roles Used in Named Blocks with Definer's Rights

All roles are disabled in any named PL/SQL block (stored procedure, function, or trigger) that executes with definer's rights. Roles are not used for privilege checking and you cannot set roles within a definer's rights procedure.

The SESSION_ROLES view shows all roles that are currently enabled. If a named PL/SQL block that executes with definer's rights queries SESSION_ROLES, then the query does not return any rows.

Roles Used in Named Blocks with Invoker's Rights and Anonymous PL/SQL Blocks

Named PL/SQL blocks that execute with invoker's rights and anonymous PL/SQL blocks are executed based on privileges granted through enabled roles. Current roles are used for privilege checking within an invoker's rights PL/SQL block. You can use dynamic SQL to set a role in the session.

See Also:

How Roles Aid or Restrict DDL Usage

A user requires one or more privileges to successfully execute a DDL statement, depending on the statement. For example, to create a table, the user must have the CREATE TABLE or CREATE ANY TABLE system privilege. To create a view of a table that belongs to another user, the creator requires the CREATE VIEW or CREATE ANY VIEW system privilege and either the SELECT object privilege for the table or the SELECT ANY TABLE system privilege.

Oracle Database avoids the dependencies on privileges received by way of roles by restricting the use of specific privileges in certain DDL statements. The following rules describe these privilege restrictions concerning DDL statements:

  • All system privileges and object privileges that permit a user to perform a DDL operation are usable when received through a role. For example:

    • System privileges: CREATE TABLE, CREATE VIEW, and CREATE PROCEDURE privileges

    • Object privileges: ALTER and INDEX privileges for a table

      You cannot use the REFERENCES object privilege for a table to define the foreign key of a table if the privilege is received through a role.

  • All system privileges and object privileges that allow a user to perform a DML operation that is required to issue a DDL statement are not usable when received through a role. The security domain does not contain roles when a CREATE VIEW statement is used. For example, a user who is granted the SELECT ANY TABLE system privilege or the SELECT object privilege for a table through a role cannot use either of these privileges to create a view on a table that belongs to another user. This is because views are definer's rights objects, so when creating them you cannot use any privileges (neither system privileges or object privileges) granted to you through a role. If the privilege is granted directly to you, then you can use the privilege. However, if the privilege is revoked at a later time, then the view definition becomes invalid ("contains errors") and must recompiled before it can be used again.

The following example further clarifies the permitted and restricted uses of privileges received through roles.

Assume that a user is:

  • Granted a role that has the CREATE VIEW system privilege

  • Directly granted a role that has the SELECT object privilege for the employees table

  • Directly granted the SELECT object privilege for the departments table

Given these directly and indirectly granted privileges:

  • The user can issue SELECT statements on both the employees and departments tables.

  • Although the user has both the CREATE VIEW and SELECT privilege for the employees table through a role, the user cannot create a view on the employees table, because the SELECT object privilege for the employees table was granted through a role.

  • The user can create a view on the departments table, because the user has the CREATE VIEW privilege through a role and the SELECT privilege for the departments table directly.

How Operating Systems Can Aid Roles

In some environments, you can administer database security using the operating system. The operating system can be used to grant and revoke database roles and to manage their password authentication. This capability is not available on all operating systems.

See Also:

Your operating system-specific Oracle Database documentation for details about managing roles through the operating system

How Roles Work in a Distributed Environment

When you use roles in a distributed database environment, ensure that all needed roles are set as the default roles for a distributed (remote) session. These roles cannot be enabled when the user connects to a remote database from within a local database session. For example, the user cannot execute a remote procedure that attempts to enable a role at the remote site.

Predefined Roles in an Oracle Database Installation

Oracle Database provides a set of predefined roles to help in database administration. These roles, listed in Table 4-3, are automatically defined for Oracle databases when you run the standard scripts that are part of database creation, and they are considered common roles. If you install other options or products, then other predefined roles may be created.

Table 4-3 Oracle Database Predefined Roles

Predefined Role Description

ADM_PARALLEL_EXECUTE_TASK

Provides privileges to update table data in parallel by using the DBMS_PARALLEL_EXECUTE PL/SQL package.

See Also: Oracle Database PL/SQL Packages and Types Reference for more information about the DBMS_PARALLEL_EXECUTE PL/SQL package.

AQ_ADMINISTRATOR_ROLE

Provides privileges to administer Advanced Queuing. Includes ENQUEUE ANY QUEUE, DEQUEUE ANY QUEUE, and MANAGE ANY QUEUE, SELECT privileges on Advanced Queuing tables and EXECUTE privileges on Advanced Queuing packages.

AQ_USER_ROLE

De-supported, but kept mainly for release 8.0 compatibility. Provides EXECUTE privileges on the DBMS_AQ and DBMS_AQIN packages.

AUDIT_ADMIN

Provides privileges to create unified and fine-grained audit policies, use the AUDIT and NOAUDIT SQL statements, view audit data, and manage the audit trail administration

See Also: "Who Can Perform Auditing?"

AUDIT_VIEWER

Provides privileges to view and analyze audit data

See Also: "Who Can Perform Auditing?"

AUTHENTICATEDUSER

Used by the XDB protocols to define any user who has logged in to the system.

See Also: Oracle XML DB Developer's Guide for more information about how this role is used for DBUriServlet security

CAPTURE_ADMIN

Provides the privileges necessary to create and manage privilege analysis policies.

See Also: Oracle Database Vault Administrator's Guide for more information

CDB_DBA

Provides the privileges required for administering a CDB, such as SET CONTAINER, SELECT ON PDB_PLUG_IN_VIOLATIONS, and SELECT ON CDB_LOCAL_ADMIN_PRIVS. If your site requires additional privileges, then you can create a role (either common or local) to cover these privileges, and then grant this role to the CDB_DBA role.

See Also: Oracle Database Administrator's Guide for information about administrating CDBs

CONNECT

Provides the CREATE SESSION system privilege.

This role is provided for compatibility with previous releases of Oracle Database. You can determine the privileges encompassed by this role by querying the DBA_SYS_PRIVS data dictionary view.

Note: Oracle recommends that you design your own roles for database security rather than relying on this role. This role may not be created automatically by future releases of Oracle Database.

See Also: Oracle Database Reference for a description of the DBA_SYS_PRIVS view

CSW_USR_ROLE

Provides user privileges to manage the Catalog Services for the Web (CSW) component of Oracle Spatial.

See Also: Oracle Spatial and Graph Developer's Guide for more information

CTXAPP

Provides privileges to create Oracle Text indexes and index preferences, and to use PL/SQL packages. This role should be granted to Oracle Text users.

See Also: Oracle Text Application Developer's Guide for more information

CWM_USER

Provides privileges to manage Common Warehouse Metadata (CWM), which is a repository standard used by Oracle data warehousing and decision support.

See Also: Oracle Database Data Warehousing Guide for more information

DATAPUMP_EXP_FULL_DATABASE

Provides privileges to export data from an Oracle database using Oracle Data Pump.

Caution: This is a very powerful role because it provides a user access to any data in any schema in the database. Use caution when granting this role to users.

See Also: Oracle Database Utilities for more information

DATAPUMP_IMP_FULL_DATABASE

Provides privileges to import data into an Oracle database using Oracle Data Pump.

Caution: This is a very powerful role because it provides a user access to any data in any schema in the database. Use caution when granting this role to users.

See Also: Oracle Database Utilities for more information

DBA

Provides all system privileges that were created with the ADMIN option.

This role is provided for compatibility with previous releases of Oracle Database. You can determine the privileges encompassed by this role by querying the DBA_SYS_PRIVS data dictionary view.

Note: Oracle recommends that you design your own roles for database security rather than relying on this role. This role may not be created automatically by future releases of Oracle Database.

See Also: Oracle Database Reference for a description of the DBA_SYS_PRIVS view

DBFS_ROLE

Provides access to the DBFS (the Database Filesystem) packages and objects.

See Also: Oracle Database SecureFiles and Large Objects Developer's Guide

DELETE_CATALOG_ROLE

Provides the DELETE privilege on the system audit table (AUD$), in a non-unified auditing environment.

Note: The DELETE_CATALOG_ROLE role is deprecated in Oracle Database 12c Release 1 (12.1).

EJBCLIENT

Provides privileges to connect to EJBs from a Java stored procedure.

EM_EXPRESS_ALL

Enables users to connect to Oracle Enterprise Manager (EM) Express and use all the functionality provided by EM Express (read and write access to all EM Express features). The EM_EXPRESS_ALL role includes the EM_EXPRESS_BASIC role.

See Also: Oracle Database 2 Day DBA for more information

EM_EXRESS_BASIC

Enables users to connect to EM Express and to view the pages in read-only mode. The EM_EXPRESS_BASIC role includes the SELECT_CATALOG_ROLE role.

See Also: Oracle Database 2 Day DBA for more information

EXECUTE_CATALOG_ROLE

Provides EXECUTE privileges on objects in the data dictionary.

EXP_FULL_DATABASE

Provides the privileges required to perform full and incremental database exports using the Export utility (later replaced with Oracle Data Pump). It includes these privileges: SELECT ANY TABLE, BACKUP ANY TABLE, EXECUTE ANY PROCEDURE, EXECUTE ANY TYPE, ADMINISTER RESOURCE MANAGER, and INSERT, DELETE, and UPDATE on the tables SYS.INCVID, SYS.INCFIL, and SYS.INCEXP. Also includes the following roles: EXECUTE_CATALOG_ROLE and SELECT_CATALOG_ROLE.

This role is provided for convenience in using the export and import utilities.

Caution: This is a very powerful role because it provides a user access to any data in any schema in the database. Use caution when granting this role to users.

See Also: Oracle Database Utilities for more information

GATHER_SYSTEM_STATISTICS

Provides privileges to update system statistics, which are collected using the DBMS_STATS.GATHER_SYSTEM_STATISTICS procedure

See Also: Oracle Database SQL Tuning Guide for more information about managing optimizer statistics

GLOBAL_AQ_USER_ROLE

Provides privileges to establish a connection to an LDAP server, for use with Oracle Streams AQ.

See Also: Oracle Database Advanced Queuing User's Guide for more information

HS_ADMIN_EXECUTE_ROLE

Provides the EXECUTE privilege for users who want to use the Heterogeneous Services (HS) PL/SQL packages.

See Also: Oracle Database Heterogeneous Connectivity User's Guide for more information

HS_ADMIN_ROLE

Provides privileges to both use the Heterogeneous Services (HS) PL/SQL packages and query the HS-related data dictionary views.

See Also: Oracle Database Heterogeneous Connectivity User's Guide for more information

HS_ADMIN_SELECT_ROLE

Provides privileges to query the Heterogeneous Services data dictionary views.

See Also: Oracle Database Heterogeneous Connectivity User's Guide for more information

IMP_FULL_DATABASE

Provides the privileges required to perform full database imports using the Import utility (later replaced with Oracle Data Pump). Includes an extensive list of system privileges (use view DBA_SYS_PRIVS to view privileges) and the following roles: EXECUTE_CATALOG_ROLE and SELECT_CATALOG_ROLE.

This role is provided for convenience in using the export and import utilities.

Caution: This is a very powerful role because it provides a user access to any data in any schema in the database. Use caution when granting this role to users.s.

See Also: Oracle Database Utilities for more information

JAVADEBUGPRIV

Provides privileges to run the Oracle Database Java applications debugger.

See Also: Oracle Database Java Developer's Guide for more information about managing security for Oracle Java applications

JAVAIDPRIV

Deprecated for this release.

JAVASYSPRIV

Provides major permissions to use Java2, including updating Oracle JVM-protected packages.

See Also: Oracle Database Java Developer's Guide for more information about managing security for Oracle Java applications

JAVAUSERPRIV

Provides limited permissions to use Java2.

See Also: Oracle Database Java Developer's Guide for more information about managing security for Oracle Java applications

JAVA_ADMIN

Provides administrative permissions to update policy tables for Oracle Database Java applications.

See Also: Oracle Database Java Developer's Guide for more information about managing security for Oracle Java applications

JAVA_DEPLOY

Provides privileges to deploy ncomp DLLs into the javavm/admin directory using the ncomp and deployns utilities. With this role, the javavm/deploy and javavm/admin directories can be accessible.

See Also: Oracle Database Development Guide for more information

JMXSERVER

Provides privileges to start and maintain a JMX agent in a database session.

See Also: Oracle Database Java Developer's Guide for more information about managing Oracle Java applications

LBAC_DBA

Provides permissions to use the SA_SYSDBA PL/SQL package.

See Also: Oracle Label Security Administrator's Guide for more information

LOGSTDBY_ADMINISTRATOR

Provides administrative privileges to manage the SQL Apply (logical standby database) environment.

See Also: Oracle Data Guard Concepts and Administration for more information

OEM_ADVISOR

Provides privileges to create, drop, select (read), load (write), and delete a SQL tuning set through the DBMS_SQLTUNE PL/SQL package, and to access to the Advisor framework using the ADVISOR PL/SQL package.

See Also: Oracle Database SQL Tuning Guide for more information

OEM_MONITOR

Provides privileges needed by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database.

See Also: Oracle Database SQL Tuning Guide for more information

OLAP_DBA

Provides administrative privileges to create dimensional objects in different schemas for Oracle OLAP.

See Also: Oracle OLAP User's Guide for more information

OLAP_USER

Provides application developers privileges to create dimensional objects in their own schemas for Oracle OLAP.

See Also: Oracle OLAP User's Guide for more information

OLAP_XS_ADMIN

Provides privileges to administer security for Oracle OLAP.

See Also: Oracle OLAP User's Guide for more information

OPTIMIZER_PROCESSING_RATE

Provides privileges to execute the GATHER_PROCESSING_RATE, SET_PROCESSING_RATE, and DELETE_PROCESSING_RATE procedures in the DBMS_STATS package. These procedures manage the processing rate of a system for automatic degree of parallelism (Auto DOP). Auto DOP uses these processing rates to determine the optimal degree of parallelism for a SQL statement.

See Also: Oracle Database SQL Tuning Guide for more information

ORDADMIN

Provides privileges to administer Oracle Multimedia DICOM.

See Also: Oracle Multimedia DICOM Developer's Guide

PDB_DBA

Granted automatically to the local user that is created when you create a new PDB from the seed PDB. No privileges are provided with this role.

See Also: Oracle Database Administrator's Guide for more information about creating PDBs using the seed

PROVISIONER

Provides privileges to register and update global callbacks for Oracle Database Real Application sessions and to provision principals.

See Also: Oracle Database Real Application Security Administrator's and Developer's Guide for more information.

RECOVERY_CATALOG_OWNER

Provides privileges for owner of the recovery catalog. Includes: CREATE SESSION, ALTER SESSION, CREATE SYNONYM, CREATE ANY SYNONYM, DROP ANY SYNONYM, CREATE VIEW, CREATE DATABASE LINK, CREATE TABLE, CREATE CLUSTER, CREATE SEQUENCE, CREATE TRIGGER, CREATE ANY TRIGGER, QUERY REWRITE, CREATE ANY CONTEXT, EXECUTE ON DBMS_RLS, ADMINISTER DATABASE, and CREATE PROCEDURE

RESOURCE

Provides the following system privileges: CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE.

Be aware that RESOURCE no longer provides the UNLIMITED TABLESPACE system privilege.

This role is provided for compatibility with previous releases of Oracle Database. You can determine the privileges encompassed by this role by querying the DBA_SYS_PRIVS data dictionary view.

Note: Oracle recommends that you design your own roles for database security rather than relying on this role. This role may not be created automatically by future releases of Oracle Database.

See Also: Oracle Database Reference for a description of the DBA_SYS_PRIVS view

SCHEDULER_ADMIN

Allows the grantee to execute the procedures of the DBMS_SCHEDULER package. It includes all of the job scheduler system privileges and is included in the DBA role.

See Also: Oracle Database Administrator's Guide for more information about the DBMS_SCHEDULER package

SELECT_CATALOG_ROLE

Provides SELECT privilege on objects in the data dictionary.

SPATIAL_CSW_ADMIN

Provides administrative privileges to manage the Catalog Services for the Web (CSW) component of Oracle Spatial.

See Also: Oracle Spatial and Graph Developer's Guide for more information

SPATIAL_WFS_ADMIN

Provides administrative privileges to manage the Web Feature Service (WFS) component of Oracle Spatial.

See Also: Oracle Spatial and Graph Developer's Guide for more information

WFS_USR_ROLE

Provides user privileges for the Web Feature Service (WFS) component of Oracle Spatial.

See Also: Oracle Spatial and Graph Developer's Guide for more information

WM_ADMIN_ROLE

Provides administrative privileges for Oracle Workspace Manager. This enables users to run any DBMS_WM procedures on all version enabled tables, workspaces, and savepoints regardless of their owner. It also enables the user to modify the system parameters specific to Workspace Manager.

See Also: Oracle Database Workspace Manager Developer's Guide for more information

XDBADMIN

Allows the grantee to register an XML schema globally, as opposed to registering it for use or access only by its owner. It also lets the grantee bypass access control list (ACL) checks when accessing Oracle XML DB Repository.

See Also: Oracle XML DB Developer's Guide for information about XML schemas and the XML DB Repository

XDB_SET_INVOKER

Allows the grantee to define invoker's rights handlers and to create or update the resource configuration for XML repository triggers. By default, Oracle Database grants this role to the DBA role but not to the XDBADMIN role.

See Also: Oracle XML DB Developer's Guide for information about Oracle Database XML repository triggers

XDB_WEBSERVICES

Allows the grantee to access Oracle Database Web services over HTTPS. However, it does not provide the user access to objects in the database that are public. To allow public access, you need to grant the user the XDB_WEBSERVICES_WITH_PUBLIC role. For a user to use these Web services, SYS must enable the Web service servlets.

See Also: Oracle XML DB Developer's Guide for information about Oracle Database Web services

XDB_WEBSERVICES_OVER_HTTP

Allows the grantee to access Oracle Database Web services over HTTP. However, it does not provide the user access to objects in the database that are public. To allow public access, you need to grant the user the XDB_WEBSERVICES_WITH_PUBLIC role.

See Also: Oracle XML DB Developer's Guide for information about Oracle Database Web services

XDB_WEBSERVICES_WITH_PUBLIC

Allows the grantee access to public objects through Oracle Database Web services.

See Also: Oracle XML DB Developer's Guide for information about Oracle Database Web services

XS_CACHE_ADMIN

In Oracle Database Real Application Security, enables the grantee to manage the mid-tier cache. It is required for caching the security policy at the mid-tier level for the checkAcl (authorization) method of the XSAccessController class. Grant this role to the application connection user or the Real Application Security dispatcher.

See Also: Oracle Database Real Application Security Administrator's and Developer's Guide for more information

XS_NSATTR_ADMIN

In Oracle Database Real Application Security, enables the grantee to manage and manipulate the namespace and attribute for a session. Grant this role to the Real Application Security session user.

See Also: Oracle Database Real Application Security Administrator's and Developer's Guide for information about managing Real Application Security sessions

XS_RESOURCE

In Oracle Database Real Application Security, enables the grantee to manage objects in the attached schema, through the XS_ACL PL/SQL package. This package creates procedures to create and manage access control lists (ACLs). It contains the ADMIN SEC POLICY privilege. It is similar to the Oracle Database RESOURCE role.

See Also: Oracle Database Real Application Security Administrator's and Developer's Guide for more information

XS_SESSION_ADMIN

In Oracle Database Real Application Security, enables the grantee to manage the life cycle of a session, including the ability to create, attach, detach, and destroy the session. Grant this role to the application connection user or Real Application Security dispatcher.

See Also: Oracle Database Real Application Security Administrator's and Developer's Guide for information about managing Real Application Security sessions


Note:

Each installation should create its own roles and assign only those privileges that are needed, thus retaining detailed control of the privileges in use. This process also removes any need to adjust existing roles, privileges, or procedures whenever Oracle Database changes or removes roles that Oracle Database defines. For example, the CONNECT role now has only one privilege: CREATE SESSION.

Creating a Role

This section contains:

See Also:

About the Creation of Roles

You can create a role using the CREATE ROLE statement, but you must have the CREATE ROLE system privilege to do so. Typically, only security administrators have this system privilege.

After you create a role, the role has no privileges associated with it. Your next step is to grant either privileges or other roles to the new role.

You must give each role you create a unique name among existing user names and role names of the database. Roles are not contained in the schema of any user. In a database that uses a multibyte character set, Oracle recommends that each role name contain at least one single-byte character. If a role name contains only multibyte characters, then the encrypted role name and password combination is considerably less secure. See Guideline 1 in "Guidelines for Securing Passwords" for password guidelines.

You can use the IDENTIFIED BY clause to authorize the role with a password. This clause specifies how the user must be authorized before the role can be enabled for use by a specific user to which it has been granted. If you do not specify this clause, or if you specify NOT IDENTIFIED, then no authorization is required when the role is enabled. Roles can be specified to be authorized by the following:

  • The database using a password

  • An application using a specified package

  • Externally by the operating system, network, or other external source

  • Globally by an enterprise directory service

As an alternative to creating password-protected roles, Oracle recommends that you use secure application roles instead. See "Securing Role Privileges by Using Secure Application Roles" for more information.

Note the following restrictions about the creation of roles:

  • A role and a user cannot have the same name.

  • The role name cannot start with c## (or C##) unless this role is a common role.

Creating a Role That Is Authorized With or Without a Password

Example 4-12 creates the clerk role, which is password authenticated. However, instead of using password-protected roles, consider using secure application roles instead. See "Securing Role Privileges by Using Secure Application Roles" for more information.

Example 4-12 Creating a User Role Authorized by a Password

CREATE ROLE clerk IDENTIFIED BY password;

Example 4-13 creates the salesclerk role, which is has no password authentication.

Example 4-13 Creating a User Role With No Password Authentication

CREATE ROLE salesclerk;

Note:

If you set the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter is set to 11 or higher, then you must recreate roles that have been created with the IDENTIFIED BY clause. See "Managing Case Sensitivity for Secure Role Passwords" for more information.

Creating a Role That Is External or Global

An external user must be authorized by an external service, such as an operating system or third-party service, before enabling the role. A global user must be authorized to use the role by the enterprise directory service before the role is enabled at login.

Example 4-14 shows how to alter the clerk role to specify that the user must have been authorized by an external source before enabling the role.

Example 4-14 Creating a Role to be Authorized Globally

CREATE ROLE clerk IDENTIFIED GLOBALLY;

Altering a Role

You can set or change the authorization method for a role using the ALTER ROLE statement. Remember that you can only directly grant secure application roles or password-authenticated roles to a user. Be aware that if you create a common role in the root, that you cannot change it to a local role, because only common roles are permitted in the root.

Example 4-15 shows how to alter the clerk role to specify that the user must have been authorized by an external source before enabling the role.

Example 4-15 Altering a Role to be Authorized by an External Source

ALTER ROLE clerk IDENTIFIED EXTERNALLY;

To alter the authorization method for a role, you must have the ALTER ANY ROLE system privilege or have been granted the role with ADMIN option.

Specifying the Type of Role Authorization

This section contains:

See Also:

"When Do Grants and Revokes Take Effect?" for a discussion about enabling roles

Authorizing a Role by Using the Database

You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.

Example 4-16 shows how to set a password-authenticated role by using the SET ROLE statement.

Example 4-16 Using SET ROLE for a Password-Authenticated Role

SET ROLE clerk IDENTIFIED BY password;

Example 4-12, "Creating a User Role Authorized by a Password" shows a CREATE ROLE statement that creates a role called clerk. When it is enabled, the password must be supplied.

Note:

In a database that uses a multibyte character set, passwords for roles must include only single-byte characters. Multibyte characters are not accepted in passwords. See Guideline 1 in "Guidelines for Securing Passwords" for password guidelines.

Authorizing a Role by Using an Application

An application role (secure application role) can be enabled only by applications using an authorized PL/SQL package. Application developers do not need to secure a role by embedding passwords inside applications. Instead, they can create an application role and specify which PL/SQL package is authorized to enable the role.

To create a role enabled by an authorized PL/SQL package, use the IDENTIFIED USING package_name clause in the CREATE ROLE SQL statement.

Example 4-17 indicates that the role admin_role is an application role and the role can only be enabled by any module defined inside the PL/SQL package hr.admin.

Example 4-17 Creating a Role Authorized by a PL/SQL Package for an Application

CREATE ROLE admin_role IDENTIFIED USING hr.admin;

See the following for more information about secure application roles:

Authorizing a Role by Using an External Source

You can define the external role locally in the database, but you cannot grant the external role to global users, to global roles, or to any other roles in the database. You can create roles that are authorized by the operating system or network clients.

Example 4-18 creates a role named accts_rec and requires that the user is authorized by an external source before it can be enabled:

Example 4-18 Creating a Role Authorized by an External Source

CREATE ROLE accts_rec IDENTIFIED EXTERNALLY;

Authorizing a Role by Using the Operating System

Role authentication through the operating system is useful only when the operating system is able to dynamically link operating system privileges with applications. When a user starts an application, the operating system grants an operating system privilege to the user. The granted operating system privilege corresponds to the role associated with the application. At this point, the application can enable the application role. When the application is terminated, the previously granted operating system privilege is revoked from the operating system account of the user.

If a role is authorized by the operating system, then you must configure information for each user at the operating system level. This operation is operating system dependent.

If roles are granted by the operating system, then you do not need to have the operating system authorize them also.

See Also:

"Granting Roles Using the Operating System or Network" for more information about roles granted by the operating system

Authorizing a Role by Using a Network Client

If users connect to the database over Oracle Net, then by default, the operating system cannot authenticate their roles. This includes connections through a shared server configuration, as this connection requires Oracle Net. This restriction is the default because a remote user could impersonate another operating system user over a network connection. Oracle recommends that you set REMOTE_OS_ROLES to FALSE, which is the default.

If you are not concerned with this security risk and want to use operating system role authentication for network clients, then set the initialization parameter REMOTE_OS_ROLES in the database initialization parameter file to TRUE. The change will take effect the next time you start the instance and mount the database.

Global Role Authorization by an Enterprise Directory Service

A role can be defined as a global role, where a (global) user can only be authorized to use the role by an enterprise directory service. You define the global role locally in the database by granting privileges and roles to it, but you cannot grant the global role itself to any user or other role in the database. When a global user attempts to connect to the database, the enterprise directory is queried to obtain any global roles associated with the user.

Example 4-19 creates a global role.

Example 4-19 Creating a Global Role

CREATE ROLE supervisor IDENTIFIED GLOBALLY;

Global roles are one component of enterprise user security. A global role only applies to one database, but you can grant it to an enterprise role defined in the enterprise directory. An enterprise role is a directory structure that contains global roles on multiple databases and can be granted to enterprise users.

See "Configuring Global User Authentication and Authorization" for a general discussion of global authentication and authorization of users, and its role in enterprise user management.

See Also:

Oracle Database Enterprise User Security Administrator's Guide for information about implementing enterprise user management

Granting and Revoking Roles

This section contains:

About Granting and Revoking Roles

You can grant system or object privileges to a role, and any role can be granted to any database user or to another role (but not to itself). However, a role cannot be granted circularly, that is, role X cannot be granted to role Y if role Y has previously been granted to role X.

To provide selective availability of privileges, Oracle Database permits applications and users to enable and disable roles. Each role granted to a user is, at any given time, either enabled or disabled. The security domain of a user includes the privileges of all roles currently enabled for the user and excludes the privileges of any roles currently disabled for the user.

A role granted to a role is called an indirectly granted role. You can explicitly enable or disable it for a user. However, whenever you enable a role that contains other roles, you implicitly enable all indirectly granted roles of the directly granted role.

You grant roles by using the GRANT statement, and revoke them by using the REVOKE statement. Privileges are granted to and revoked from roles using the same statements.

You cannot grant a secure role (that is, an IDENTIFIED BY role, IDENTIFIED USING role, or IDENTIFIED EXTERNALLY role) to either another secure role or to a non-secure role. You can use the SET ROLE statement to enable the secure role for the session.

Who Can Grant or Revoke Roles?

Any user with the GRANT ANY ROLE system privilege can grant or revoke any role except a global role to or from other users or roles of the database. (A global role is managed in a directory, such as Oracle Internet Directory, but its privileges are contained within a single database.) By default, the SYS or SYSTEM user has this privilege. You should grant this system privilege conservatively because it is very powerful.

Any user granted a role with the ADMIN OPTION can grant or revoke that role to or from other users or roles of the database. This option allows administrative powers for roles to be granted on a selective basis.

See Also:

Oracle Database Enterprise User Security Administrator's Guide for information about global roles

Granting and Revoking Roles to Program Units

You can grant roles to the function, procedure, and PL/SQL package program units. The role then becomes enabled during the execution of the program unit (but not during the compilation of the program unit). This enables you to temporarily escalate privileges in the PL/SQL code without granting the role directly to the user. It also increases security for applications and helps to enforce the principle of least privilege.

Example 4-20 shows how to grant the role clerk_admin to the procedure psmith.check_stats_proc.

Example 4-20 Granting a Role to a Program Unit

GRANT clerk_admin TO procedure psmith.checkstats_proc;

The following example shows how to grant the same role to the PL/SQL package checkstats_pkg:

GRANT clerk_admin TO package psmith.checkstats_pkg;

This example shows how to revoke the clerk_admin role from the PL/SQL package checkstats_pkg:

REVOKE clerk_admin FROM package psmith.checkstats_pkg;

Dropping Roles

When you drop a role, the security domains of all users and roles granted a dropped role are immediately changed to reflect the absence of the dropped role privileges. All indirectly granted roles of the dropped role are also removed from affected security domains. Dropping a role automatically removes the role from all user default role lists.

Because the existence of objects is not dependent on the privileges received through a role, tables and other objects are not dropped when a role is dropped.

You can drop a role using the SQL statement DROP ROLE. To drop a role, you must have the DROP ANY ROLE system privilege or have been granted the role with the ADMIN option.

The following statement drops the role CLERK:

DROP ROLE clerk;

Restricting SQL*Plus Users from Using Database Roles

This section contains:

Potential Security Problems of Using Ad Hoc Tools

Prebuilt database applications explicitly control the potential actions of a user, including the enabling and disabling of user roles while using the application. By contrast, ad hoc query tools such as SQL*Plus, permit a user to submit any SQL statement (which may or may not succeed), including enabling and disabling a granted role.

Potentially, an application user can exercise the privileges attached to that application to issue destructive SQL statements against database tables by using an ad hoc tool.

For example, consider the following scenario:

  • The Vacation application has a corresponding vacation role.

  • The vacation role includes the privileges to issue SELECT, INSERT, UPDATE, and DELETE statements against the emp_tab table.

  • The Vacation application controls the use of privileges obtained through the vacation role.

Now, consider a user who has been granted the vacation role. Suppose that, instead of using the Vacation application, the user executes SQL*Plus. At this point, the user is restricted only by the privileges granted to him explicitly or through roles, including the vacation role. Because SQL*Plus is an ad hoc query tool, the user is not restricted to a set of predefined actions, as with designed database applications. The user can query or modify data in the emp_tab table as he or she chooses.

How the PRODUCT_USER_PROFILE System Table Can Limit Roles

You can use the PRODUCT_USER_PROFILE table, which is in the SYSTEM schema, to disable certain SQL and SQL*Plus commands in the SQL*Plus environment for each user. SQL*Plus, not the Oracle Database, enforces this security. You can even restrict access to the GRANT, REVOKE, and SET ROLE commands to control user ability to change their database privileges.

The PRODUCT_USER_PROFILE table enables you to list roles that you do not want users to activate with an application. You can also explicitly disable the use of various commands, such as SET ROLE.

For example, you could create an entry in the PRODUCT_USER_PROFILE table to:

  • Disallow the use of the clerk and manager roles with SQL*Plus

  • Disallow the use of SET ROLE with SQL*Plus

Suppose user Marla connects to the database using SQL*Plus. Marla has the clerk, manager, and analyst roles. As a result of the preceding entry in PRODUCT_USER_PROFILE, Marla is only able to exercise her analyst role with SQL*Plus. Also, when Ginny attempts to issue a SET ROLE statement, she is explicitly prevented from doing so because of the entry in the PRODUCT_USER_PROFILE table prohibiting use of SET ROLE.

Be aware that the PRODUCT_USER_PROFILE table does not completely guarantee security, for multiple reasons. In the preceding example, while SET ROLE is disallowed with SQL*Plus, if Marla had other privileges granted to her directly, then she could exercise these using SQL*Plus.

See Also:

SQL*Plus User's Guide and Reference for more information about the PRODUCT_USER_PROFILE table

How Stored Procedures Can Encapsulate Business Logic

Stored procedures encapsulate the use of privileges with business logic so that privileges are only exercised in the context of a well-formed business transaction. For example, an application developer can create a procedure to update the employee name and address in the employees table, which enforces that the data can only be updated in normal business hours. Also, rather than grant a human resources clerk the UPDATE privilege on the employees table, a security administrator may grant the privilege on the procedure only. Then, the human resources clerk can exercise the privilege only in the context of the procedures, and cannot update the employees table directly.

Securing Role Privileges by Using Secure Application Roles

A secure application role is a role that can be enabled only by an authorized PL/SQL package (or procedure). The PL/SQL package itself reflects the security policies needed to control access to the application.

This method of role creation restricts the enabling of this type of role to the invoking application. For example, the application can perform authentication and customized authorization, such as checking whether the user has connected through a proxy.

This type of role strengthens security because passwords are not embedded in application source code or stored in a table. This way, the actions the database performs are based on the implementation of your security policies, and these definitions are stored in one place, the database, rather than in your applications. If you need to modify the policy, you do so in one place without having to modify your applications. No matter how users connect to the database, the result is always the same, because the policy is bound to the role.

To enable the secure application role, you must execute its underlying package by invoking it directly from the application when the user logs in, before the user exercises the privileges granted by the secure application role. You cannot use a logon trigger to enable a secure application role, nor can you have this type of role be a default role.

When you enable the secure application role, Oracle Database verifies that the authorized PL/SQL package is on the calling stack, that is, it verifies that the authorized PL/SQL package is issuing the command to enable the role.

You can use secure application roles to ensure the existence of a database connection. Because a secure application role is a role implemented by a package, the package can validate that users can connect to the database through a middle tier or from a specific IP address. In this way, the secure application role prevents users from accessing data outside an application. They are forced to work within the framework of the application privileges that they have been granted.

Managing Object Privileges

This section contains:

About Object Privileges

An object privilege grants permission to perform a particular action on a specific schema object.

Different object privileges are available for different types of schema objects. The privilege to delete rows from the departments table is an example of an object privilege.

Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege.

Some examples of object privileges include the right to:

  • Use an edition

  • Update a table

  • Select rows from another user's table

  • Execute a stored procedure of another user

See Also:

Oracle Database SQL Language Reference for a list of object privileges and the operations they authorize

Who Can Grant Object Privileges?

A user automatically has all object privileges for schema objects contained in his or her schema. A user with the GRANT ANY OBJECT PRIVILEGE system privilege can grant any specified object privilege to another user with or without the WITH GRANT OPTION clause of the GRANT statement. A user with the GRANT ANY OBJECT PRIVILEGE privilege can also use that privilege to revoke any object privilege that was granted either by the object owner or by some other user with the GRANT ANY OBJECT PRIVILEGE privilege.

If the grantee does not have the GRANT ANY OBJECT PRIVILEGE privilege or had been granted the privilege without the WITH GRANT OPTION clause of the GRANT statement, then this user cannot grant the privilege to other users.

The WITH GRANT OPTION can be used only with object privilege grants to users. It cannot be used for object privilege grants to roles.

See Also:

Oracle Database SQL Language Reference for information about GRANT and GRANT ANY OBJECT PRIVILEGE

Granting and Revoking Object Privileges

This section contains:

About Granting and Revoking Object Privileges

Object privileges can be granted to and revoked from users and roles. If you grant object privileges to roles, then you can make the privileges selectively available.

To grant object privileges, use the GRANT statement; to revoke object privileges, use the REVOKE statement.

How the ALL Clause Grants or Revokes All Available Object Privileges

Each type of object has different privileges associated with it.

You can specify ALL [PRIVILEGES] to grant or revoke all available object privileges for an object. ALL is not a privilege. Rather, it is a shortcut, or a way of granting or revoking all object privileges with one GRANT and REVOKE statement. If all object privileges are granted using the ALL shortcut, then individual privileges can still be revoked.

Similarly, you can revoke all individually granted privileges by specifying ALL. However, if you REVOKE ALL, and revoking causes integrity constraints to be deleted (because they depend on a REFERENCES privilege that you are revoking), then you must include the CASCADE CONSTRAINTS option in the REVOKE statement.

Example 4-21 revokes all privileges on the orders table in the HR schema using CASCADE CONSTRAINTS.

Example 4-21 Revoking All Object Privileges Using CASCADE CONSTRAINTS

REVOKE ALL 
 ON ORDERS FROM HR
 CASCADE CONSTRAINTS;

Managing READ and SELECT Object Privileges

This section contains:

About Managing READ and SELECT Object Privileges

You can grant users either the READ or the SELECT object privilege, depending on the level of access that you want to allow the user.

  • If you want the user only to be able to query tables, views, materialized views, or synonyms, then grant the READ object privilege. For example:

    GRANT READ ON HR.EMPLOYEES TO psmith;
    
  • If you want the user to be able to perform the following actions in addition to performing the query, then grant the user the SELECT object privilege:

    • LOCK TABLE table_name IN EXCLUSIVE MODE;

    • SELECT ... FROM table_name FOR UPDATE;

    For example:

    GRANT SELECT ON HR.EMPLOYEES TO psmith;
    

In either case, user psmith would use a SELECT statement to perform query.

Enabling Users to Use the READ Object Privilege for Any Table in the Database

To enable user psmith to use the READ object privilege when they want to query any table in the database, you can grant him the READ ANY TABLE system privilege:

GRANT READ ANY TABLE TO psmith;

As with the READ object privilege, the READ ANY TABLE system privilege does not enable users to lock tables in exclusive mode nor select tables for update operations. Conversely, the SELECT ANY TABLE system privilege enables users to lock the rows of a table, or lock the entire table, through a SELECT ... FOR UPDATE statement, in addition to querying any table.

Restrictions on the READ and READ ANY TABLE Privileges

Note the following restrictions on the READ and READ ANY TABLE privileges:

  • The READ object privilege has no effect on the requirements of the SQL92_SECURITY standard. If the SQL92_SECURITY initialization parameter has been set to TRUE, then its requirement that users must be granted the SELECT object privilege in addition to UPDATE or DELETE in order to execute the UPDATE or DELETE statements is not relaxed to require that READ is sufficient instead of SELECT.

  • If Oracle Database Vault is enabled, remember that the SQL92_SECURITY initialization parameter is automatically set to TRUE. Hence, UPDATE and DELETE statements will fail if the user has only been granted the READ object privilege or the READ ANY TABLE system privilege. In this case, you must grant the user the SELECT object privilege or, if the user is a trusted user, the SELECT ANY TABLE system privilege.

Using Object Privileges with Synonyms

You can use the CREATE SYNONYM statement to create synonyms for tables, views, sequences, operators, procedures, stored functions, packages, materialized views, Java class schema objects, user-defined object types, or other synonyms. If you grant users the privilege to use the synonym, then the object privileges granted on the underlying objects apply whether the user references the base object by name or by using the synonym.

For example, suppose user OE creates the following synonym for the CUSTOMERS table:

CREATE SYNONYM customer_syn FOR CUSTOMERS;

Then OE grants the READ privilege on the customer_syn synonym to user HR.

GRANT READ ON customer_syn TO HR;

User HR then tries either of the following queries:

SELECT COUNT(*) FROM OE.customer_syn;

SELECT COUNT(*) FROM OE.CUSTOMERS;

Both queries will yield the same result:

  COUNT(*)
----------
       319

Be aware that when you grant the synonym to another user, the grant applies to the underlying object that the synonym represents, not to the synonym itself. For example, if user HR queries the ALL_TAB_PRIVS data dictionary view for his privileges, he will learn the following:

SELECT TABLE_SCHEMA, TABLE_NAME, PRIVILEGE 
FROM ALL_TAB_PRIVS 
WHERE TABLE_SCHEMA = 'OE';

TABLE_SCHEMA  TABLE_NAME  PRIVILEGE
------------  ----------  ------------------
OE            CUSTOMER    READ
OE            OE          INHERIT PRIVILEGES

The results show that in addition to other privileges, he has the READ privilege for the underlying object of the customer_syn synonym, which is the OE.CUSTOMER table.

At this point, if user OE then revokes the READ privilege on the customer_syn synonym from HR, here are the results if HR checks his privileges again:

TABLE_SCHEMA  TABLE_NAME  PRIVILEGE
------------  ----------  ------------------
OE            OE          INHERIT PRIVILEGES

User HR no longer has the READ privilege for the OE.CUSTOMER table. If he tries to query the OE.CUSTOMERS table, then the following error appears:

SELECT COUNT(*) FROM OE.CUSTOMERS;

ERROR at line 1:
ORA-00942: table or view does not exist

Managing Table Privileges

This section contains:

About Managing Table Privileges

Object privileges for tables enable table security at the DML (data manipulation language) or DDL (data definition language) level of operation.

How Table Privileges Affect Data Manipulation Language Operations

You can grant privileges to use the DELETE, INSERT, SELECT, and UPDATE DML operations on a table or view. Grant these privileges only to users and roles that need to query or manipulate data in a table.

You can restrict INSERT and UPDATE privileges for a table to specific columns of the table. With a selective INSERT privilege, a privileged user can insert a row with values for the selected columns. All other columns receive NULL or the default value of the column. With a selective UPDATE privilege, a user can update only specific column values of a row. You can use selective INSERT and UPDATE privileges to restrict user access to sensitive data.

For example, if you do not want data entry users to alter the salary column of the employees table, then selective INSERT or UPDATE privileges can be granted that exclude the salary column. Alternatively, a view that excludes the salary column could satisfy this need for additional security.

See Also:

Oracle Database SQL Language Reference for more information about DML operations

How Table Privileges Affect Data Definition Language Operations

The ALTER, INDEX, and REFERENCES privileges allow DDL operations to be performed on a table. Because these privileges allow other users to alter or create dependencies on a table, you should grant these privileges conservatively.

A user attempting to perform a DDL operation on a table may need additional system or object privileges. For example, to create a trigger on a table, the user requires both the ALTER TABLE object privilege for the table and the CREATE TRIGGER system privilege.

As with the INSERT and UPDATE privileges, you can grant the REFERENCES privilege on specific columns of a table. The REFERENCES privilege enables the grantee to use the table on which the grant is made as a parent key to any foreign keys that the grantee wishes to create in his or her own tables. This action is controlled with a special privilege because the presence of foreign keys restricts the data manipulation and table alterations that can be done to the parent key. A column-specific REFERENCES privilege restricts the grantee to using the named columns (which, of course, must include at least one primary or unique key of the parent table).

See Also:

"Data Integrity" in Oracle Database Concepts for more information about primary keys, unique keys, and integrity constraints

Managing View Privileges

This section contains:

About View Privileges

A view is a presentation of data selected from one or more tables, possibly including other views. A view shows the structure of the underlying tables. Its selected data can be thought of as the result of a stored query. A view contains no actual data but rather derives what it shows from the tables and views on which it is based. You can query a view, and change the data it represents. Data in a view can be updated or deleted, and new data inserted. These operations directly alter the tables on which the view is based, and are subject to the integrity constraints and triggers of the base tables.

You can apply DML object privileges to views, similar to tables. Object privileges for a view allow various DML operations, which as noted affect the base tables from which the view is derived.

Privileges Required to Create Views

To create a view, you must meet the following requirements:

  • You must have been granted one of the following system privileges, either explicitly or through a role:

    • The CREATE VIEW system privilege (to create a view in your schema)

    • The CREATE ANY VIEW system privilege (to create a view in the schema of another user)

  • You must have been explicitly granted one of the following privileges:

    • The SELECT, INSERT, UPDATE, or DELETE object privileges on all base objects underlying the view

    • The SELECT ANY TABLE, INSERT ANY TABLE, UPDATE ANY TABLE, or DELETE ANY TABLE system privileges

  • In addition, before you can grant other users access to you view, you must have object privileges to the base objects with the GRANT OPTION clause or appropriate system privileges with the ADMIN OPTION clause. If you do not have these privileges, then you cannot to grant other users access to your view. If you try, an ORA-01720: grant option does not exist for object_name error is raised, with object_name referring to the view's underlying object for which you do not have the sufficient privilege.

Increasing Table Security with Views

To use a view, the user must have the appropriate privileges but only for the view itself, not its underlying objects. However, if access privileges for the underlying objects of the view are removed, then the user no longer has access. This behavior occurs because the security domain that is used when a user queries the view is that of the definer of the view. If the privileges on the underlying objects are revoked from the view's definer, then the view becomes invalid, and no one can use the view. Therefore, even if a user has been granted access to the view, the user may not be able to use the view if the definer's rights have been revoked from the view's underlying objects.

For example, suppose User A creates a view. User A has definer's rights on the underlying objects of the view. User A then grants the SELECT privilege on that view to User B so that User B can query the view. But if User A no longer has access to the underlying objects of that view, then User B no longer has access either.

Views add two more levels of security for tables, column-level security and value-based security, as follows:

  • A view can provide access to selected columns of base tables. For example, you can define a view on the employees table to show only the employee_id, last_name, and manager_id columns:

    CREATE VIEW employees_manager AS 
        SELECT last_name, employee_id, manager_id FROM employees; 
    
  • A view can provide value-based security for the information in a table. A WHERE clause in the definition of a view displays only selected rows of base tables. Consider the following two examples:

    CREATE VIEW lowsal AS 
        SELECT * FROM employees 
        WHERE salary < 10000; 
    

    The lowsal view allows access to all rows of the employees table that have a salary value less than 10000. Notice that all columns of the employees table are accessible in the lowsal view.

    CREATE VIEW own_salary AS 
        SELECT last_name, salary 
        FROM employees 
        WHERE last_name = USER; 
    

    In the own_salary view, only the rows with an last_name that matches the current user of the view are accessible. The own_salary view uses the user pseudo column, whose values always refer to the current user. This view combines both column-level security and value-based security.

Managing Procedure Privileges

This section contains:

Using the EXECUTE Privilege for Procedure Privileges

The EXECUTE privilege is the only object privilege for procedures, including standalone procedures and functions, and for those within packages. Grant this privilege only to users who need to run a procedure or to compile another procedure that calls a desired procedure.

Procedure Execution and Security Domains

A user with the EXECUTE object privilege for a specific procedure can execute the procedure or compile a program unit that references the procedure. Oracle Database performs a run-time privilege check when any PL/SQL unit is called. A user with the EXECUTE ANY PROCEDURE system privilege can execute any procedure in the database. Privileges to run procedures can be granted to a user through roles.

See Also:

System Privileges Required to Create or Replace a Procedure

To create or replace a procedure in your own schema, you must have the CREATE PROCEDURE system privilege. To create or replace a procedure in another user's schema, you must have the CREATE ANY PROCEDURE system privilege.

The user who owns the procedure also must have privileges for schema objects referenced in the procedure body. To create a procedure, you need to have been explicitly granted the necessary privileges (system or object) on all objects referenced by the procedure. You cannot obtain the required privileges through roles. This includes the EXECUTE privilege for any procedures that are called inside the procedure being created.

Note:

Triggers require that privileges on referenced objects be granted directly to the owner of the trigger. Anonymous PL/SQL blocks can use any privilege, whether the privilege is granted explicitly or through a role.

System Privileges Required to Compile a Procedure

To compile a standalone procedure, run the ALTER PROCEDURE statement with the COMPILE clause. To compile a procedure that is part of a package, run the ALTER PACKAGE statement.

Example 4-22 shows how to compile a standalone procedure.

Example 4-22 Compiling a Procedure

ALTER PROCEDURE psmith.remove_emp COMPILE;

If the standalone or packaged procedure is in another user's schema, you must have the ALTER ANY PROCEDURE privilege to recompile it. You can recompile procedures in your own schema without any privileges.

How Procedure Privileges Affect Packages and Package Objects

This section contains:

About the Effect of Procedure Privileges on Packages and Package Objects

A user with the EXECUTE object privilege for a package can execute any public procedure or function in the package, and can access or modify the value of any public package variable. You cannot grant specific EXECUTE privileges for individual constructs in a package. Therefore, you may find it useful to consider two alternatives for establishing security when developing procedures, functions, and packages for a database application. The following examples describe these alternatives.

Procedure Privileges and Packages and Package Objects: Example 1

Example 4-23 shows four procedures created in the bodies of two packages.

Example 4-23 Package Objects Affected by Procedure Privileges

CREATE PACKAGE BODY hire_fire AS 
  PROCEDURE hire(...) IS 
    BEGIN 
      INSERT INTO employees . . . 
    END hire; 
  PROCEDURE fire(...) IS 
    BEGIN 
      DELETE FROM employees . . . 
    END fire; 
END hire_fire; 

CREATE PACKAGE BODY raise_bonus AS 
  PROCEDURE give_raise(...) IS 
    BEGIN 
      UPDATE employees SET salary = . . . 
    END give_raise; 
  PROCEDURE give_bonus(...) IS 
    BEGIN 
      UPDATE employees SET bonus = . . . 
    END give_bonus; 
END raise_bonus; 

The following GRANT EXECUTE statements enable the big_bosses and little_bosses roles to run the appropriate procedures:

GRANT EXECUTE ON hire_fire TO big_bosses; 
GRANT EXECUTE ON raise_bonus TO little_bosses; 

Note:

Granting EXECUTE privilege for a package provides uniform access to all package objects.

Procedure Privileges and Packages and Package Objects: Example 2

This example shows four procedure definitions within the body of a single package. Two additional standalone procedures and a package are created specifically to provide access to the procedures defined in the main package.

CREATE PACKAGE BODY employee_changes AS 
  PROCEDURE change_salary(...) IS BEGIN ... END; 
  PROCEDURE change_bonus(...) IS BEGIN ... END; 
  PROCEDURE insert_employee(...) IS BEGIN ... END; 
  PROCEDURE delete_employee(...) IS BEGIN ... END; 
END employee_changes; 
 
CREATE PROCEDURE hire 
  BEGIN 
    employee_changes.insert_employee(...) 
  END hire; 
 
CREATE PROCEDURE fire 
  BEGIN 
    employee_changes.delete_employee(...) 
  END fire; 
 
PACKAGE raise_bonus IS 
  PROCEDURE give_raise(...) AS 
    BEGIN 
      employee_changes.change_salary(...) 
    END give_raise; 
 
  PROCEDURE give_bonus(...) 
    BEGIN 
      employee_changes.change_bonus(...) 
    END give_bonus; 

Using this method, the procedures that actually do the work (the procedures in the employee_changes package) are defined in a single package and can share declared global variables, cursors, on so on. By declaring top-level procedures, hire and fire, and an additional package, raise_bonus, you can grant selective EXECUTE privileges on procedures in the main package:

GRANT EXECUTE ON hire, fire TO big_bosses; 
GRANT EXECUTE ON raise_bonus TO little_bosses; 

Managing Type Privileges

The following sections describe the use of privileges for types, methods, and objects:

System Privileges for Named Types

Table 4-4 lists system privileges for named types (object types, VARRAYs, and nested tables).

Table 4-4 System Privileges for Named Types

Privilege Enables you to ...

CREATE TYPE

Create named types in your own schemas

CREATE ANY TYPE

Create a named type in any schema

ALTER ANY TYPE

Alter a named type in any schema

DROP ANY TYPE

Drop a named type in any schema

EXECUTE ANY TYPE

Use and reference a named type in any schema


The RESOURCE role includes the CREATE TYPE system privilege. The DBA role includes all of these privileges.

Object Privileges for Named Types

The only object privilege that applies to named types is EXECUTE. If the EXECUTE privilege exists on a named type, then a user can use the named type to:

  • Define a table

  • Define a column in a relational table

  • Declare a variable or parameter of the named type

The EXECUTE privilege permits a user to invoke the methods in the type, including the type constructor. This is similar to the EXECUTE privilege on a stored PL/SQL procedure.

Method Execution Model for Named Types

The method execution for named types is the same as any other stored PL/SQL procedure.

Privileges Required to Create Types and Tables Using Types

To create a type, you must meet the following requirements:

  • You must have the CREATE TYPE system privilege to create a type in your schema or the CREATE ANY TYPE system privilege to create a type in the schema of another user. These privileges can be acquired explicitly or through a role.

  • The owner of the type must be explicitly granted the EXECUTE object privileges to access all other types referenced within the definition of the type, or have been granted the EXECUTE ANY TYPE system privilege. The owner cannot obtain the required privileges through roles.

  • If the type owner intends to grant access to the type to other users, then the owner must receive the EXECUTE privileges to the referenced types with the GRANT OPTION or the EXECUTE ANY TYPE system privilege with the ADMIN OPTION. If not, then the type owner has insufficient privileges to grant access on the type to other users.

To create a table using types, you must meet the requirements for creating a table and the following additional requirements:

  • The owner of the table must have been directly granted the EXECUTE object privilege to access all types referenced by the table, or has been granted the EXECUTE ANY TYPE system privilege. The owner cannot exercise the required privileges if these privileges were granted through roles.

  • If the table owner intends to grant access to the table to other users, then the owner must have the EXECUTE privilege to the referenced types with the GRANT OPTION or the EXECUTE ANY TYPE system privilege with the ADMIN OPTION. If not, then the table owner has insufficient privileges to grant access on the table.

See Also:

"Managing Table Privileges" for the requirements for creating a table

Example of Privileges for Creating Types and Tables Using Types

Assume that three users exist with the CONNECT and RESOURCE roles:

  • user1

  • user2

  • user3

The following DDL is run in the schema of user1:

CREATE TYPE type1 AS OBJECT (
  attr1 NUMBER);

CREATE TYPE type2 AS OBJECT (
  attr2 NUMBER);

GRANT EXECUTE ON type1 TO user2;
GRANT EXECUTE ON type2 TO user2 WITH GRANT OPTION;

The following DDL is performed in the schema of user2:

CREATE TABLE tab1 OF user1.type1;
CREATE TYPE type3 AS OBJECT (
  attr3 user1.type2);
CREATE TABLE tab2 (
  col1 user1.type2);

The following statements succeed because user2 has EXECUTE privilege on user1.type2 with the GRANT OPTION:

GRANT EXECUTE ON type3 TO user3;
GRANT SELECT ON tab2 TO user3;

However, the following grant fails because user2 does not have EXECUTE privilege on user1.type1 with the GRANT OPTION:

GRANT SELECT ON tab1 TO user3;

The following statements can be successfully run by user3:

CREATE TYPE type4 AS OBJECT (
  attr4 user2.type3);
CREATE TABLE tab3 OF type4;

Note:

The CONNECT role presently retains only the CREATE SESSION privilege.

Privileges on Type Access and Object Access

Existing column-level and table-level privileges for DML statements apply to both column objects and row objects.

Table 4-5 lists the privileges for object tables.

Table 4-5 Privileges for Object Tables

Privilege Enables you to...

SELECT

Access an object and its attributes from the table

UPDATE

Modify the attributes of the objects that make up the rows in the table

INSERT

Create new objects in the table

DELETE

Delete rows


Similar table privileges and column privileges apply to column objects. Retrieving instances does not in itself reveal type information. However, clients must access named type information to interpret the type instance images. When a client requests type information, Oracle Database checks for the EXECUTE privilege on the type.

Consider the following schema:

CREATE TYPE emp_type (
    eno NUMBER, ename CHAR(31), eaddr addr_t);
CREATE TABLE emp OF emp_t;

In addition, consider the following two queries:

SELECT VALUE(emp) FROM emp;
SELECT eno, ename FROM emp;

For either query, Oracle Database checks the SELECT privilege of the user for the emp table. For the first query, the user must obtain the emp_type type information to interpret the data. When the query accesses the emp_type type, Oracle Database checks the EXECUTE privilege of the user.

The second query, however, does not involve named types, so Oracle Database does not check type privileges.

In addition, by using the schema from the previous section, user3 can perform the following queries:

SELECT tab1.col1.attr2 FROM user2.tab1 tab1;
SELECT attr4.attr3.attr2 FROM tab3;

Note that in both SELECT statements, user3 does not have explicit privileges on the underlying types, but the statement succeeds because the type and table owners have the necessary privileges with the GRANT OPTION.

Oracle Database checks privileges on the following events, and returns an error if the client does not have the privilege for the action:

  • Pinning an object in the object cache using its REF value causes Oracle Database to check for the SELECT privilege on the containing object table.

  • Modifying an existing object or flushing an object from the object cache causes Oracle Database to check for the UPDATE privilege on the destination object table.

  • Flushing a new object causes Oracle Database to check for the INSERT privilege on the destination object table.

  • Deleting an object causes Oracle Database to check for the DELETE privilege on the destination table.

  • Pinning an object of a named type causes Oracle Database to check EXECUTE privilege on the object.

Modifying the attributes of an object in a client third-generation language application causes Oracle Database to update the entire object. Therefore, the user needs the UPDATE privilege on the object table. Having the UPDATE privilege on only certain columns of the object table is not sufficient, even if the application only modifies attributes corresponding to those columns. Therefore, Oracle Database does not support column-level privileges for object tables.

Type Dependencies

As with stored objects, such as procedures and tables, types being referenced by other objects are called dependencies. There are some special issues for types on which tables depend. Because a table contains data that relies on the type definition for access, any change to the type causes all stored data to become inaccessible. Changes that can cause this are when necessary privileges required to use the type are revoked, or the type or dependent types are dropped. If these actions occur, then the table becomes invalid and cannot be accessed.

A table that is invalid because of missing privileges can automatically become valid and accessible if the required privileges are granted again. A table that is invalid because a dependent type was dropped can never be accessed again, and the only permissible action is to drop the table.

Because of the severe effects that revoking a privilege on a type or dropping a type can cause, the SQL statements REVOKE and DROP TYPE, by default, implement restricted semantics. This means that if the named type in either statement has table or type dependents, then an error is received and the statement cancels. However, if the FORCE clause for either statement is used, then the statement always succeeds. If there are depended-upon tables, then they are invalidated.

See Also:

Oracle Database Reference for details about using the REVOKE, DROP TYPE, and FORCE clauses

Granting User Privileges and Roles

This section contains:

See Also:

"Using a Middle Tier Server for Proxy Authentication" for information about graining roles to users who are connected through a middle tier or proxy

Granting System Privileges and Roles to Users and Roles

You can use the GRANT SQL statement to grant system privileges and roles to users and roles. The following privileges are required:

  • To grant a system privilege, a user must be granted the system privilege with the ADMIN option or must be granted the GRANT ANY PRIVILEGE system privilege.

  • To grant a role, a user must be granted the role with the ADMIN option or was granted the GRANT ANY ROLE system privilege.

Example 4-24 grants the system privilege CREATE SESSION and the accts_pay role to the user jward.

Example 4-24 Granting a System Privilege and a Role to a User

GRANT CREATE SESSION, accts_pay TO jward;

Example 4-24 grants the EXECUTE privilege on the exec_dir directory object to the user jward.

Example 4-25 Granting the EXECUTE Privilege on a Directory Object

GRANT EXECUTE ON DIRECTORY exec_dir TO jward;

Note:

Object privileges cannot be granted along with system privileges and roles in the same GRANT statement.

Granting the ADMIN Option

If you specify the WITH ADMIN OPTION clause when you grant a privilege or role to a user or role, then the privilege grant has the following expanded capabilities:

  • The grantee can grant or revoke the system privilege or role to or from any other user or role in the database. Users cannot revoke a role from themselves.

  • The grantee can grant the system privilege or role with the ADMIN option.

  • The grantee of a role can alter or drop the role.

Example 4-26 grants the new_dba role with the WITH ADMIN OPTION clause to user michael.

Example 4-26 Granting the ADMIN Option

GRANT new_dba TO michael WITH ADMIN OPTION;

User michael is able to not only use all of the privileges implicit in the new_dba role, but he can also grant, revoke, and drop the new_dba role as deemed necessary. Because of these powerful capabilities, use caution when granting system privileges or roles with the ADMIN option. These privileges are usually reserved for a security administrator, and are rarely granted to other administrators or users of the system.

Note:

When a user creates a role, the role is automatically granted to the creator with the ADMIN option.

Creating a New User with the GRANT Statement

Oracle Database enables you to create a new user with the GRANT statement. If you specify a password using the IDENTIFIED BY clause, and the user name does not exist in the database, then a new user with that user name and password is created.

Example 4-27 creates psmith as a new user while granting psmith the CREATE SESSION system privilege.

Example 4-27 Creating a New User with the GRANT Statement

GRANT CREATE SESSION TO psmith IDENTIFIED BY password;

Granting Object Privileges to Users and Roles

This section contains:

About Granting Object Privileges to Users and Roles

You can use the GRANT statement to grant object privileges to roles and users. To grant an object privilege, you must fulfill one of the following conditions:

  • You own the object specified.

  • You have been granted the GRANT ANY OBJECT PRIVILEGE system privilege. This privilege enables you to grant and revoke privileges on behalf of the object owner.

  • The WITH GRANT OPTION clause was specified when you were granted the object privilege.

    Note:

    System privileges and roles cannot be granted along with object privileges in the same GRANT statement.

Example 4-28 grants the READ, INSERT, and DELETE object privileges for all columns of the emp table to the users jfee and tsmith.

Example 4-28 Granting Object Privileges to Users

GRANT READ, INSERT, DELETE ON emp TO jfee, tsmith;

To grant all object privileges on the salary view to user jfee, use the ALL keyword as shown in the following example:

GRANT ALL ON salary TO jfee;

Note:

A grantee cannot regrant access to objects unless the original grant included the GRANT OPTION. Thus in the example just given, jfee cannot use the GRANT statement to grant object privileges to anyone else.

How the WITH GRANT OPTION Clause Works

Specify the WITH GRANT OPTION clause with the GRANT statement to enable the grantee to grant the object privileges to other users. The user whose schema contains an object is automatically granted all associated object privileges with the WITH GRANT OPTION clause. This special privilege allows the grantee several expanded privileges:

  • The grantee can grant the object privilege to any user in the database, with or without the GRANT OPTION, and to any role in the database.

  • If both of the following conditions are true, then the grantee can create views on the table, and grant the corresponding privileges on the views to any user or role in the database:

    • The grantee receives object privileges for the table with the GRANT OPTION.

    • The grantee has the CREATE VIEW or CREATE ANY VIEW system privilege.

Note:

The WITH GRANT OPTION clause is not valid if you try to grant an object privilege to a role. Oracle Database prevents the propagation of object privileges through roles so that grantees of a role cannot propagate object privileges received by means of roles.

Granting Object Privileges on Behalf of the Object Owner

The GRANT ANY OBJECT PRIVILEGE system privilege enables users to grant and revoke any object privilege on behalf of the object owner. This privilege provides a convenient means for database and application administrators to grant access to objects in any schema without requiring that they connect to the schema. Login credentials do not need to be maintained for schema owners who have this privilege, which reduces the number of connections required during configuration.

This system privilege is part of the Oracle Database supplied DBA role and is thus granted (with the ADMIN option) to any user connecting AS SYSDBA (user SYS). As with other system privileges, the GRANT ANY OBJECT PRIVILEGE system privilege can only be granted by a user who possesses the ADMIN option.

The recorded grantor of access rights to an object is either the object owner or the person exercising the GRANT ANY OBJECT PRIVILEGE system privilege. If the grantor with GRANT ANY OBJECT PRIVILEGE does not have the object privilege with the GRANT OPTION, then the object owner is shown as the grantor. Otherwise, when that grantor has the object privilege with the GRANT OPTION, then that grantor is recorded as the grantor of the grant.

Note:

The audit record generated by the GRANT statement always shows the actual user who performed the grant.

For example, consider the following scenario. User adams possesses the GRANT ANY OBJECT PRIVILEGE system privilege. He does not possess any other grant privileges. He issues the following statement:

GRANT SELECT ON HR.EMPLOYEES TO blake WITH GRANT OPTION;

If you examine the DBA_TAB_PRIVS view, then you will see that hr is shown as the grantor of the privilege:

SELECT GRANTEE, GRANTOR, PRIVILEGE, GRANTABLE
  FROM DBA_TAB_PRIVS 
  WHERE TABLE_NAME = 'EMPLOYEES' and OWNER = 'HR';

GRANTEE  GRANTOR PRIVILEGE    GRANTABLE
-------- ------- -----------  ----------
BLAKE    HR       SELECT      YES       

Now assume that user blake also has the GRANT ANY OBJECT PRIVILEGE system. He issues the following statement:

GRANT SELECT ON HR.EMPLOYEES TO clark;

In this case, when you query the DBA_TAB_PRIVS view again, you see that blake is shown as being the grantor of the privilege:

GRANTEE  GRANTOR  PRIVILEGE  GRANTABLE
-------- -------- ---------  ----------
BLAKE    HR       SELECT     YES       
CLARK    BLAKE    SELECT     NO        

This occurs because blake already possesses the SELECT privilege on HR.EMPLOYEES with the GRANT OPTION.

Granting Privileges on Columns

You can grant INSERT, UPDATE, or REFERENCES privileges on individual columns in a table.

Caution:

Before granting a column-specific INSERT privilege, determine if the table contains any columns on which NOT NULL constraints are defined. Granting selective insert capability without including the NOT NULL columns prevents the user from inserting any rows into the table. To avoid this situation, ensure that each NOT NULL column can either be inserted into or has a non-NULL default value. Otherwise, the grantee will not be able to insert rows into the table and will receive an error.

The following statement grants the INSERT privilege on the acct_no column of the accounts table to user psmith:

GRANT INSERT (acct_no) ON accounts TO psmith;

In the following example, object privilege for the ename and job columns of the emp table are granted to the users jfee and tsmith:

GRANT INSERT(ename, job) ON emp TO jfee, tsmith;

Row-Level Access Control

You can also provide access control at the row level, that is, within objects, using Virtual Private Database (VPD) or Oracle Label Security (OLS).

Revoking Privileges and Roles from a User

This section contains:

Revoking System Privileges and Roles

You can revoke system privileges and roles using the SQL statement REVOKE. Any user with the ADMIN option for a system privilege or role can revoke the privilege or role from any other database user or role. The revoker does not have to be the user that originally granted the privilege or role. Users with GRANT ANY ROLE can revoke any role.

Example 4-29 revokes the CREATE TABLE system privilege and the accts_rec role from user psmith:

Example 4-29 Revoking a System Privilege and a Role from a User

REVOKE CREATE TABLE, accts_rec FROM psmith;

Note:

The ADMIN option for a system privilege or role cannot be selectively revoked. Instead, revoke the privilege or role, and then grant the privilege or role again but without the ADMIN option.

Revoking Object Privileges

To revoke an object privilege, you must fulfill one of the following conditions:

  • You previously granted the object privilege to the user or role.

  • You possess the GRANT ANY OBJECT PRIVILEGE system privilege that enables you to grant and revoke privileges on behalf of the object owner.

You can only revoke the privileges that you, the person who granted the privilege, directly authorized. You cannot revoke grants that were made by other users to whom you granted the GRANT OPTION. However, there is a cascading effect. If the object privileges of the user who granted the privilege are revoked, then the object privilege grants that were propagated using the GRANT OPTION are revoked as well.

Assuming you are the original grantor of the privilege, the following statement revokes the SELECT and INSERT privileges on the emp table from users jfee and psmith:

REVOKE SELECT, INSERT ON emp FROM jfee, psmith;

The following statement revokes all object privileges for the dept table that you originally granted to the human_resource role:

REVOKE ALL ON dept FROM human_resources;

Note:

The GRANT OPTION for an object privilege cannot be selectively revoked. Instead, revoke the object privilege and then grant it again but without the GRANT OPTION. Users cannot revoke object privileges from themselves.

Revoking Object Privileges on Behalf of the Object Owner

The GRANT ANY OBJECT PRIVILEGE system privilege enables you to revoke any specified object privilege where the object owner is the grantor. This occurs when the object privilege is granted by the object owner, or on behalf of the owner by any user holding the GRANT ANY OBJECT PRIVILEGE system privilege.

In a situation where the object privilege was granted by both the owner of the object and the user executing the REVOKE statement (who has both the specific object privilege and the GRANT ANY OBJECT PRIVILEGE system privilege), Oracle Database only revokes the object privilege granted by the user issuing the REVOKE statement. This can be illustrated by continuing the example started in "Granting Object Privileges on Behalf of the Object Owner".

At this point, user blake granted the SELECT privilege on HR.EMPLOYEES to clark. Even though blake possesses the GRANT ANY OBJECT PRIVILEGE system privilege, he also holds the specific object privilege, thus this grant is attributed to him. Assume that user HR also grants the SELECT privilege on HR.EMPLOYEES to user clark. A query of the DBA_TAB_PRIVS view shows that the following grants are in effect for the HR.EMPLOYEES table:

GRANTEE  GRANTOR PRIVILEGE    GRANTABLE
-------- ------- -----------  ----------
BLAKE    HR       SELECT       YES       
CLARK    BLAKE    SELECT       NO        
CLARK    HR       SELECT       NO        

User blake now issues the following REVOKE statement:

REVOKE  SELECT ON HR.EMPLOYEES FROM clark;

Only the object privilege for user clark granted by user blake is removed. The grant by the object owner, HR, remains.

GRANTEE  GRANTOR PRIVILEGE    GRANTABLE
-------- ------- -----------  ----------
BLAKE    HR       SELECT      YES       
CLARK    HR       SELECT      NO        

If blake issues the REVOKE statement again, then this time the effect is to remove the object privilege granted by adams (on behalf of HR), using the GRANT ANY OBEJCT PRIVILEGE system privilege.

Revoking Column-Selective Object Privileges

Although users can grant column-specific INSERT, UPDATE, and REFERENCES privileges for tables and views, they cannot selectively revoke column-specific privileges with a similar REVOKE statement. Instead, the grantor must first revoke the object privilege for all columns of a table or view, and then selectively repeat the grant of the column-specific privileges that the grantor intends to keep in effect.

For example, assume that role human_resources was granted the UPDATE privilege on the deptno and dname columns of the table dept. To revoke the UPDATE privilege on just the deptno column, issue the following two statements:

REVOKE UPDATE ON dept FROM human_resources;
GRANT UPDATE (dname) ON dept TO human_resources;

The REVOKE statement revokes the UPDATE privilege on all columns of the dept table from the role human_resources. The GRANT statement then repeats, restores, or reissues the grant of the UPDATE privilege on the dname column to the role human_resources.

Revoking the REFERENCES Object Privilege

If the grantee of the REFERENCES object privilege has used the privilege to create a foreign key constraint (that currently exists), then the grantor can revoke the privilege only by specifying the CASCADE CONSTRAINTS option in the REVOKE statement:

REVOKE REFERENCES ON dept FROM jward CASCADE CONSTRAINTS;

Any foreign key constraints currently defined that use the revoked REFERENCES privilege are dropped when the CASCADE CONSTRAINTS clause is specified.

Cascading Effects of Revoking Privileges

This section contains:

Cascading Effects When Revoking System Privileges

There are no cascading effects when revoking a system privilege related to DDL operations, regardless of whether the privilege was granted with or without the ADMIN option. For example, assume the following:

  1. The security administrator grants the CREATE TABLE system privilege to user jfee with the ADMIN option.

  2. User jfee creates a table.

  3. User jfee grants the CREATE TABLE system privilege to user tsmith.

  4. User tsmith creates a table.

  5. The security administrator revokes the CREATE TABLE system privilege from user jfee.

  6. The table created by user jfee continues to exist. User tsmith still has the table and the CREATE TABLE system privilege.

You can observe cascading effects when you revoke a system privilege related to a DML operation. If the SELECT ANY TABLE privilege is revoked from a user, then all procedures contained in the user's schema relying on this privilege can no longer be executed successfully until the privilege is reauthorized.

Cascading Effects When Revoking Object Privileges

Revoking an object privilege can have cascading effects. Remember the following:

  • Object definitions that depend on a DML object privilege can be affected if the DML object privilege is revoked. For example, assume that the body of the test procedure includes a SQL statement that queries data from the emp table. If the SELECT privilege on the emp table is revoked from the owner of the test procedure, then the procedure can no longer be executed successfully.

  • When a REFERENCES privilege for a table is revoked from a user, any foreign key integrity constraints that are defined by the user and require the dropped REFERENCES privilege are automatically dropped. For example, assume that user jward is granted the REFERENCES privilege for the deptno column of the dept table. This user now creates a foreign key on the deptno column in the emp table that references the deptno column of the dept table. If the REFERENCES privilege on the deptno column of the dept table is revoked, then the foreign key constraint on the deptno column of the emp table is dropped in the same operation.

  • The object privilege grants propagated using the GRANT OPTION are revoked if the object privilege of a grantor is revoked. For example, assume that user1 is granted the SELECT object privilege on the emp table with the GRANT OPTION, and grants the SELECT privilege on emp to user2. Subsequently, the SELECT privilege is revoked from user1. This REVOKE statement is also cascaded to user2. Any objects that depend on the revoked SELECT privilege of user1 and user2 can also be affected, as described earlier.

Object definitions that require the ALTER and INDEX DDL object privileges are not affected if the ALTER or INDEX object privilege is revoked. For example, if the INDEX privilege is revoked from a user that created an index on a table that belongs to another user, then the index continues to exist after the privilege is revoked.

Granting Privileges to and Revoking Privileges from the PUBLIC Role

You can grant and revoke privileges and roles from the role PUBLIC. Because PUBLIC is accessible to every database user, all privileges and roles granted to PUBLIC are accessible to every database user. By default, PUBLIC does not have privileges granted to it.

Security administrators and database users should grant a privilege or role to PUBLIC only if every database user requires the privilege or role. This recommendation reinforces the general rule that, at any given time, each database user should have only the privileges required to accomplish the current group tasks successfully.

Revoking a privilege from the PUBLIC role can cause significant cascading effects. If any privilege related to a DML operation is revoked from PUBLIC (for example, SELECT ANY TABLE or UPDATE ON emp), then all procedures in the database, including functions and packages, must be reauthorized before they can be used again. Therefore, be careful when you grant and revoke DML-related privileges to or from PUBLIC.

See Also:

Granting Roles Using the Operating System or Network

This section contains:

About Granting Roles Using the Operating System or Network

Instead of a security administrator explicitly granting and revoking database roles to and from users using GRANT and REVOKE statements, the operating system on which Oracle Database runs can grant roles to users at connect time. Roles can be administered using the operating system and passed to Oracle Database when a user creates a session. As part of this mechanism, the default roles of a user and the roles granted to a user with the ADMIN option can be identified. If the operating system is used to authorize users for roles, then all roles must be created in the database and privileges assigned to the role with GRANT statements.

Roles can also be granted through a network service.

The advantage of using the operating system to identify the database roles of a user is that privilege management for an Oracle database can be externalized. The security facilities offered by the operating system control user privileges. This option may offer advantages of centralizing security for several system activities, such as the following situation:

  • MVS Oracle administrators want RACF groups to identify database user roles.

  • UNIX Oracle administrators want UNIX groups to identify database user roles.

  • VMS Oracle administrators want to use rights identifiers to identify database user roles.

The main disadvantage of using the operating system to identify the database roles of a user is that privilege management can only be performed at the role level. Individual privileges cannot be granted using the operating system, but they can still be granted inside the database using GRANT statements.

A second disadvantage of using this feature is that, by default, users cannot connect to the database through the shared server or any other network connection if the operating system is managing roles. However, you can change this default as described in "Network Connections with Operating System Role Management".

Note:

The features described in this section are available only on some operating systems. See your operating system-specific Oracle Database documentation to determine if you can use these features.

Operating System Role Identification

To have the database use the operating system to identify the database roles of each user when a session is created, set the initialization parameter OS_ROLES to TRUE (and restart the instance, if it is currently running). When a user tries to create a session with the database, Oracle Database initializes the user security domain using the database roles identified by the operating system.

To identify database roles for a user, the operating system account for each Oracle Database user must have operating system identifiers (these may be called groups, rights identifiers, or other similar names) that indicate which database roles are to be available for the user. Role specification can also indicate which roles are the default roles of a user and which roles are available with the ADMIN option. No matter which operating system is used, the role specification at the operating system level follows the format:

ora_ID_ROLE[[_d][_a][_da]]

In this specification:

  • ID has a definition that varies on different operating systems. For example, on VMS, ID is the instance identifier of the database; on VMS, it is the computer type; and on UNIX, it is the system ID.

    ID is case-sensitive to match your ORACLE_SID. ROLE is not case-sensitive.

  • ROLE is the name of the database role.

  • d is an optional character that indicates this role is to be a default role of the database user.

  • a is an optional character that indicates this role is to be granted to the user with the ADMIN option. This allows the user to grant the role to other roles only. Roles cannot be granted to users if the operating system is used to manage roles.

    If either the d or a character is specified, then precede that character by an underscore (_).

For example, suppose an operating system account has the following roles identified in its profile:

ora_PAYROLL_ROLE1
ora_PAYROLL_ROLE2_a
ora_PAYROLL_ROLE3_d
ora_PAYROLL_ROLE4_da

When the corresponding user connects to the payroll instance of Oracle Database, role3 and role4 are defaults, while role2 and role4 are available with the ADMIN option.

Operating System Role Management

When you use operating system-managed roles, remember that database roles are being granted to an operating system user. Any database user to which the operating system user is able to connect will have the authorized database roles enabled. For this reason, you should consider defining all Oracle Database users as IDENTIFIED EXTERNALLY if you are using OS_ROLES = TRUE, so that the database accounts are tied to the operating system account that was granted privileges.

Role Grants and Revokes When OS_ROLES Is Set to TRUE

If the OS_ROLES parameter is set to TRUE, then the operating system completely manages the granting and revoking of roles to users. Any previous granting of roles to users using GRANT statements do not apply. However, they are still listed in the data dictionary. Only the role grants to users made at the operating system level apply. Users can still grant privileges to roles and users.

Note:

If the operating system grants a role to a user with the ADMIN option, then the user can grant the role only to other roles.

Role Enablements and Disablements When OS_ROLES Is Set to TRUE

If the OS_ROLES initialization parameter is set to TRUE, then any role granted by the operating system can be dynamically enabled using the SET ROLE statement. This still applies, even if the role was defined to require a password or operating system authorization. However, any role not identified in the operating system account of a user cannot be specified in a SET ROLE statement, even if a role was granted using a GRANT statement when OS_ROLES = FALSE. (If you specify such a role, then Oracle Database ignores it.)

When OS_ROLES is set to TRUE, then the user can enable up to 148 roles. Remember that this number includes other roles that may have been granted to the role.

Network Connections with Operating System Role Management

If you have the operating system manage roles, then, by default, users cannot connect to the database through the shared server. This restriction is the default because a remote user could impersonate another operating system user over an unsecure connection.

If you are not concerned with this security risk and want to use operating system role management with the shared server, or any other network connection, then set the initialization parameter REMOTE_OS_ROLES to TRUE. The change takes effect the next time you start the instance and mount the database. The default setting of this parameter is FALSE.

When Do Grants and Revokes Take Effect?

Depending on what is granted or revoked, a grant or revoke takes effect at different times:

  • All grants and revokes of system and object privileges to anything (users, roles, and PUBLIC) take immediate effect.

  • All grants and revokes of roles to anything (users, other roles, PUBLIC) take effect only when a current user session issues a SET ROLE statement to reenable the role after the grant and revoke, or when a new user session is created after the grant or revoke.

You can see which roles are currently enabled by examining the SESSION_ROLES data dictionary view.

How the SET ROLE Statement Affects Grants and Revokes

During the user session, the user or an application can use the SET ROLE statement any number of times to change the roles currently enabled for the session. The user must already be granted the roles that are named in the SET ROLE statement.

Example 4-30 enables the role clerk, which you have already been granted, and specifies the password.

Example 4-30 Using SET ROLE to Grant a Role and Specify a Password

SET ROLE clerk IDENTIFIED BY password;

Replace password with a password that is secure. "Minimum Requirements for Passwords" describes the minimum requirements for passwords.

Example 4-31 shows how to use SET ROLE to disable all roles.

Example 4-31 Using SET ROLE to Disable All Roles

SET ROLE NONE;

Specifying Default Roles

When a user logs on, Oracle Database enables all privileges granted explicitly to the user and all privileges in the default roles of the user.

You can set and alter a list of default roles for a user by using the ALTER USER SQL statement. The ALTER USER statement specifies roles that are to be enabled when a user connects to the database. The user must have been directly granted the roles with a GRANT statement, or the roles must have been created by the user with the CREATE ROLE privilege. For information about the restrictions of the DEFAULT ROLE clause of the ALTER USER statement, see Oracle Database SQL Language Reference.

Example 4-32 sets the default roles payclerk and pettycash for user jane:

Example 4-32 Using ALTER USER to Set Default Roles

ALTER USER jane DEFAULT ROLE payclerk, pettycash;

You cannot set default roles for a user in the CREATE USER statement. When you first create a user, the default user role setting is ALL, which causes all roles subsequently granted to the user to be default roles. Use the ALTER USER statement to limit the default user roles.

Caution:

When you create a role (other than a global role or an application role), it is granted implicitly to you, and your set of default roles is updated to include the new role. Be aware that only 148 roles can be enabled for a user session. When aggregate roles, such as the DBA role, are granted to a user, the roles granted to the role are included in the number of roles the user has. For example, if a role has 20 roles granted to it and you grant that role to the user, then the user now has 21 additional roles. Therefore, when you grant new roles to a user, use the DEFAULT ROLE clause of the ALTER USER statement to ensure that not too many roles are specified as that user's default roles.

The Maximum Number of Roles That a User Can Have Enabled

You can grant a user as many roles as you want, but be aware that even though the user login succeeds, no more than 148 roles can be enabled for the user at any given time. Therefore, not all privileges will be available to this user during the user session. As a best practice, restrict the number of roles granted to a user to the minimum roles the user needs. See "Guidelines for Securing Roles" for additional guidelines on granting roles to users.

User Privilege and Role Data Dictionary Views

Table 4-6 lists data dictionary views that you can query to access information about grants of privileges and roles.

See Also:

Oracle Database Reference for detailed information about data dictionary views

Table 4-6 Data Dictionary Views That Display Privilege and Role Information

View Description

ALL_COL_PRIVS

Describes all column object grants for which the current user or PUBLIC is the object owner, grantor, or grantee

ALL_COL_PRIVS_MADE

Lists column object grants for which the current user is object owner or grantor

ALL_COL_PRIVS_RECD

Describes column object grants for which the current user or PUBLIC is the grantee

ALL_TAB_PRIVS

Lists the grants on objects where the user or PUBLIC is the grantee

ALL_TAB_PRIVS_MADE

Lists the all object grants made by the current user or made on the objects owned by the current user

ALL_TAB_PRIVS_RECD

Lists object grants for which the user or PUBLIC is the grantee

DBA_COL_PRIVS

Describes all column object grants in the database

DBA_CONTAINER_DATA

In a multitenant environment, displays default (user-level) and object-specific CONTAINER_DATA attributes. Objects that are created with the CONTAINER_DATA clause include CONTAINER_DATA attributes.

DBA_EPG_DAD_AUTHORIZATION

Describes the database access descriptors (DAD) that are authorized to use a different user's privileges

DBA_TAB_PRIVS

Lists all grants on all objects in the database

DBA_ROLES

Lists all roles that exist in the database, including secure application roles. Note that it does not list the PUBLIC role

DBA_ROLE_PRIVS

Lists roles directly granted to users and roles

DBA_SYS_PRIVS

Lists system privileges granted to users and roles

ROLE_ROLE_PRIVS

Lists roles granted to other roles. Information is provided only about roles to which the user has access

ROLE_SYS_PRIVS

Lists system privileges granted to roles. Information is provided only about roles to which the user has access

ROLE_TAB_PRIVS

Lists object privileges granted to roles. Information is provided only about roles to which the user has access

SESSION_PRIVS

Lists the privileges that are currently enabled for the user

SESSION_ROLES

Lists all roles that are enabled for the current user. Note that it does not list the PUBLIC role

USER_COL_PRIVS

Describes column object grants for which the current user is the object owner, grantor, or grantee

USER_COL_PRIVS_MADE

Describes column object grants for which the current user is the object owner

USER_COL_PRIVS_RECD

Describes column object grants for which the current user is the grantee

USER_EPG_DAD_AUTHORIZATION

Describes the database access descriptors (DAD) that are authorized to use a different user's privileges

USER_ROLE_PRIVS

Lists roles directly granted to the current user

USER_TAB_PRIVS

Lists grants on all objects where the current user is the grantee

USER_SYS_PRIVS

Lists system privileges granted to the current user

USER_TAB_PRIVS_MADE

Lists grants on all objects owned by the current user

USER_TAB_PRIVS_RECD

Lists object grants for which the current user is the grantee

V$PWFILE_USERS

Lists all users in the current PDB who have been granted administrative privileges


This section provides some examples of using these views. For these examples, assume the following statements were issued:

CREATE ROLE security_admin IDENTIFIED BY password;

GRANT CREATE PROFILE, ALTER PROFILE, DROP PROFILE,
    CREATE ROLE, DROP ANY ROLE, GRANT ANY ROLE, AUDIT ANY,
    AUDIT SYSTEM, CREATE USER, BECOME USER, ALTER USER, DROP USER
    TO security_admin WITH ADMIN OPTION;

GRANT READ, DELETE ON SYS.AUD$ TO security_admin;

GRANT security_admin, CREATE SESSION TO swilliams;

GRANT security_admin TO system_administrator;

GRANT CREATE SESSION TO jward;

GRANT READ, DELETE ON emp TO jward;

GRANT INSERT (ename, job) ON emp TO swilliams, jward;

See Also:

Oracle Database Reference for a detailed description of these data dictionary views

Listing All System Privilege Grants

The following query returns all system privilege grants made to roles and users:

SELECT GRANTEE, PRIVILEGE, ADM FROM DBA_SYS_PRIVS;

GRANTEE            PRIVILEGE                         ADM
--------------     --------------------------------- ---
SECURITY_ADMIN     ALTER PROFILE                     YES
SECURITY_ADMIN     ALTER USER                        YES
SECURITY_ADMIN     AUDIT ANY                         YES
SECURITY_ADMIN     AUDIT SYSTEM                      YES
SECURITY_ADMIN     BECOME USER                       YES
SECURITY_ADMIN     CREATE PROFILE                    YES
SECURITY_ADMIN     CREATE ROLE                       YES
SECURITY_ADMIN     CREATE USER                       YES
SECURITY_ADMIN     DROP ANY ROLE                     YES
SECURITY_ADMIN     DROP PROFILE                      YES
SECURITY_ADMIN     DROP USER                         YES
SECURITY_ADMIN     GRANT ANY ROLE                    YES
SWILLIAMS          CREATE SESSION                    NO
JWARD              CREATE SESSION                    NO

See Oracle Database Reference for detailed information about the DBA_SYS_PRIVS view.

Listing All Role Grants

The following query returns all the roles granted to users and other roles:

SELECT * FROM DBA_ROLE_PRIVS;

GRANTEE            GRANTED_ROLE                         ADM
------------------ ------------------------------------ ---
SWILLIAMS          SECURITY_ADMIN                       NO

See Oracle Database Reference for detailed information about the DBA_ROLE_PRIVS view.

Listing Object Privileges Granted to a User

The following query returns all object privileges (not including column-specific privileges) granted to the specified user:

SELECT TABLE_NAME, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS
    WHERE GRANTEE = 'jward';

TABLE_NAME   PRIVILEGE    GRANTABLE
-----------  ------------ ----------
EMP          SELECT       NO
EMP          DELETE       NO

To list all the column-specific privileges that have been granted, use the following query:

SELECT GRANTEE, TABLE_NAME, COLUMN_NAME, PRIVILEGE
    FROM DBA_COL_PRIVS;

GRANTEE      TABLE_NAME     COLUMN_NAME      PRIVILEGE
-----------  ------------   -------------    --------------
SWILLIAMS    EMP            ENAME            INSERT
SWILLIAMS    EMP            JOB              INSERT
JWARD        EMP            NAME             INSERT
JWARD        EMP            JOB              INSERT

See Oracle Database Reference for detailed information about the DBA_TAB_PRIVS view.

Listing the Current Privilege Domain of Your Session

The following query lists all roles currently enabled for the issuer:

SELECT * FROM SESSION_ROLES;

If user swilliams has the security_admin role enabled and issues the previous query, then Oracle Database returns the following information:

ROLE
------------------------------
SECURITY_ADMIN

The following query lists all system privileges currently available in the security domain of the issuer, both from explicit privilege grants and from enabled roles:

SELECT * FROM SESSION_PRIVS;

If user swilliams has the security_admin role enabled and issues the previous query, then Oracle Database returns the following results:

PRIVILEGE
----------------------------------------
AUDIT SYSTEM
CREATE SESSION
CREATE USER
BECOME USER
ALTER USER
DROP USER
CREATE ROLE
DROP ANY ROLE
GRANT ANY ROLE
AUDIT ANY
CREATE PROFILE
ALTER PROFILE
DROP PROFILE

If the security_admin role is disabled for user swilliams, then the first query would return no rows, while the second query would only return a row for the CREATE SESSION privilege grant.

See Oracle Database Reference for detailed information about the SESSION_ROLES view.

Listing Roles of the Database

You can use the DBA_ROLES data dictionary view to list all roles of a database and the authentication used for each role. For example, the following query lists all the roles in the database:

SELECT * FROM DBA_ROLES;

ROLE                  PASSWORD
----------------      --------
CONNECT               NO
RESOURCE              NO
DBA                   NO
SECURITY_ADMIN        YES

See Oracle Database Reference for detailed information about the DBA_ROLES view.

Listing Information About the Privilege Domains of Roles

The ROLE_ROLE_PRIVS, ROLE_SYS_PRIVS, and ROLE_TAB_PRIVS data dictionary views contain information about the privilege domains of roles. For example, the following query lists all the roles granted to the system_admin role:

SELECT GRANTED_ROLE, ADMIN_OPTION
   FROM ROLE_ROLE_PRIVS
   WHERE ROLE = 'SYSTEM_ADMIN';

GRANTED_ROLE              ADM
----------------          ----
SECURITY_ADMIN            NO

The following query lists all the system privileges granted to the security_admin role:

SELECT * FROM ROLE_SYS_PRIVS WHERE ROLE = 'SECURITY_ADMIN';

ROLE                    PRIVILEGE                      ADM
----------------------- -----------------------------  ---
SECURITY_ADMIN           ALTER PROFILE                 YES
SECURITY_ADMIN           ALTER USER                    YES
SECURITY_ADMIN           AUDIT ANY                     YES
SECURITY_ADMIN           AUDIT SYSTEM                  YES
SECURITY_ADMIN           BECOME USER                   YES
SECURITY_ADMIN           CREATE PROFILE                YES
SECURITY_ADMIN           CREATE ROLE                   YES
SECURITY_ADMIN           CREATE USER                   YES
SECURITY_ADMIN           DROP ANY ROLE                 YES
SECURITY_ADMIN           DROP PROFILE                  YES
SECURITY_ADMIN           DROP USER                     YES
SECURITY_ADMIN           GRANT ANY ROLE                YES

The following query lists all the object privileges granted to the security_admin role:

SELECT TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS
    WHERE ROLE = 'SECURITY_ADMIN';

TABLE_NAME                     PRIVILEGE
---------------------------    ----------------
AUD$                           DELETE
AUD$                           SELECT

See Oracle Database Reference for detailed information about the ROLE_ROLE_PRIVS, ROLE_SYS_PRIVS, and ROLE_TAB_PRIVS views.