When a user logs on to Oracle Database, the database enables all privileges granted explicitly to the user and all privileges in the user's default roles. During the session, the user or an application can use the
ROLE statement any number of times to enable or disable the roles currently enabled for the session.
For most roles, you cannot enable or disable a role unless it was granted to you either directly or through other roles. However, a secure application role can be granted and enabled by its associated PL/SQL package. See the
ROLE semantics for USING package and Oracle Database Security Guide for information about secure application roles.
ROLE succeeds only if there are no definer's rights units on the call stack. If at least one DR unit is on the call stack, then issuing the
ROLE command causes
06565. See Oracle Database PL/SQL Language Reference for more information about definer's rights units.
To run the
ROLE command from PL/SQL, you must use dynamic SQL, preferably the
IMMEDIATE statement. See Oracle Database PL/SQL Language Reference for more information about this statement.
You must already have been granted the roles that you name in the
Specify one or more roles to be enabled for the current session. All roles not specified are disabled for the current session or until another
ROLE statement is issued in the current session.
password clause, specify the password for a role. If the role has a password, then you must specify the password to enable the role.
Restriction on Setting Roles
You cannot specify a role identified globally. Global roles are enabled by default at login, and cannot be reenabled later.
Roles listed in the
EXCEPT clause must be roles granted directly to you. They cannot be roles granted to you through other roles.
If you list a role in the
EXCEPT clause that has been granted to you both directly and through another role, then the role remains enabled by virtue of the role to which it has been granted.
Restrictions on the ALL Clause
The following restrictions apply to the
You cannot use this clause to enable roles with passwords that have been granted directly to you.
You cannot use this clause to enable a secure application role, which is a role that can be enabled only by applications using an authorized package. Refer to Oracle Database Security Guide for information on creating a secure application role and Oracle Database 2 Day + Security Guide for a tutorial.
Setting Roles: Examples
To enable the role
dw_manager identified by the password
warehouse for your current session, issue the following statement:
SET ROLE dw_manager IDENTIFIED BY warehouse;
To enable all roles granted to you for the current session, issue the following statement:
SET ROLE ALL;
To enable all roles granted to you except
dw_manager, issue the following statement:
SET ROLE ALL EXCEPT dw_manager;
To disable all roles granted to you for the current session, issue the following statement:
SET ROLE NONE;