You must either have been granted the role with the
OPTION or have
ROLE system privilege.
Before you alter a role to
GLOBALLY, you must:
Revoke all grants of roles identified externally to the role and
Revoke the grant of the role from all users, roles, and
The one exception to this rule is that you should not revoke the role from the user who is currently altering the role.
To specify the
CONTAINER clause, you must be connected to a multitenant container database (CDB). To specify
ALL, the current container must be the root. To specify
CURRENT, the current container must be a pluggable database (PDB).
The keywords, parameters, and clauses in the
ROLE statement all have the same meaning as in the
Restriction on Altering a Role
You cannot alter a
IDENTIFIED role to any of the
IDENTIFIED types if it is granted to another role.
Notes on Altering a Role
The following notes apply when altering a role:
User sessions in which the role is already enabled are not affected.
If you change a role identified by password to an application role (with the
packageclause), then password information associated with the role is lost. Oracle Database will use the new authentication mechanism the next time the role is to be enabled.
If you have the
ROLEsystem privilege and you change a role that is
IDENTIFIED, then Oracle Database grants you the altered role with the
OPTION, as it would have if you had created the role identified nonglobally.
For more information, refer to CREATE ROLE and to the examples that follow.
Changing Role Identification: Example
The following statement changes the role
warehouse_user (created in "Creating a Role: Example") to
ALTER ROLE warehouse_user NOT IDENTIFIED;
Changing a Role Password: Example
This statement changes the password on the
dw_manager role (created in "Creating a Role: Example") to
ALTER ROLE dw_manager IDENTIFIED BY data;
Users granted the
dw_manager role must subsequently use the new password
data to enable the role.
Application Roles: Example
The following example changes the
dw_manager role to an application role using the
ALTER ROLE dw_manager IDENTIFIED USING hr.admin;