CREATE ROLE

Purpose

Use the CREATE ROLE statement to create a role, which is a set of privileges that can be granted to users or to other roles. You can use roles to administer database privileges. You can add privileges to a role and then grant the role to a user. The user can then enable the role and exercise the privileges granted by the role.

A role contains all privileges granted to the role and all privileges of other roles granted to it. A new role is initially empty. You add privileges to a role with the GRANT statement.

When you create a role that is NOT IDENTIFIED or is IDENTIFIED EXTERNALLY or BY password, Oracle grants you the role with ADMIN OPTION. However, when you create a role IDENTIFIED GLOBALLY, Oracle does not grant you the role.

See Also: GRANT for information on granting roles ALTER USER for information on enabling roles ALTER ROLE for information on modifying a role DROP ROLE for information on removing a role from the database SET ROLE for information on enabling and disabling roles for the current session Oracle8i Distributed Database Systems for a detailed description and explanation of using global roles

Prerequisites

You must have CREATE ROLE system privilege.

Syntax

Keywords and Parameters

role

Specify the name of the role to be created. Oracle recommends that the role contain at least one single-byte character regardless of whether the database character set also contains multibyte characters.

Some roles are defined by SQL scripts provided on your distribution media.

See Also: GRANT for a list of these predefined roles

NOT IDENTIFIED

Specify NOT IDENTIFIED to indicate that this role is authorized by the database and that no password is required to enable the role.

IDENTIFIED

Use the IDENTIFIED clause to indicate that a user must be authorized by the specified method before the role is enabled with the SET ROLE statement:

BY password	The BY password clause lets you create a local user and indicates that the user must specify the password to Oracle when enabling the role. The password can contain only single-byte characters from your database character set regardless of whether this character set also contains multibyte characters.
EXTERNALLY	Specify EXTERNALLY to create an external user and indicates that a user must be authorized by an external service (such as an operating system or third-party service) before enabling the role.
	Depending on the operating system, the user may have to specify a password to the operating system before the role is enabled.
GLOBALLY	Specify GLOBALLY to create a global user and indicates that a user must be authorized to use the role by the enterprise directory service before the role is enabled with the SET ROLE statement, or at login.

If you omit both the NOT IDENTIFIED clause and the IDENTIFIED clause, the role defaults to NOT IDENTIFIED.

Examples

CREATE ROLE Example

The following statement creates global role vendor:

CREATE ROLE vendor IDENTIFIED GLOBALLY;

The following statement creates the role teller:

CREATE ROLE teller 
   IDENTIFIED BY cashflow; 

Users who are subsequently granted the teller role must specify the password cashflow to enable the role with the SET ROLE statement.