Grant and Revoke Data Roles

13 Grant and Revoke Data Roles

Use the SQL statements in this chapter to grant and revoke data roles.

Granting a data role allows specific end users, application identities, or other data roles to use its associated fine-grained data privileges. Revoking a data role removes this access.

Before you grant data roles, review the role-grant restrictions detailed in the following table.

Type of Role	Can Be Granted To
Database role	Data role
Data role that is managed locally in the database	Local end user Another data role that is managed locally in the database Application identity
Data role that is mapped to an application role in IAM	None You cannot grant data roles that are mapped to external application roles to local end users or data roles. Instead, you must enable these data roles for end users through IAM.

Type of Role

Can Be Granted To

Database role

Data role

Data role that is managed locally in the database

Local end user
Another data role that is managed locally in the database
Application identity

Data role that is mapped to an application role in IAM

None

You cannot grant data roles that are mapped to external application roles to local end users or data roles. Instead, you must enable these data roles for end users through IAM.

Query the DBA_DATA_ROLE_GRANTS data dictionary view to review existing data role grants, including their start and end times.

Topics:

Grant Data Role
Revoke Data Role
Grant Database Role to Data Role