Create a role without granting it

StackOverflow https://stackoverflow.com/questions/12722548

  •  05-07-2021
  •  | 
  •  

Question

I would like to create a role connected as SYSTEM. But because I have a lot of schemas with a lot of roles and all of them will be created this way, I don't want the created roles to be granted to SYSTEM (otherwise it eventually will exceed the 148-roles limit).

=> Is that possible to disable the automatic grant on the creator?

NB: for now I work on Oracle 9i but it will soon be upgraded to 11g

Was it helpful?

Solution

There are 2 parts to my answer:

  1. Roles in Oracle are a bit like keys on your keyring: just because they're on the keyring doesn't mean your using them all the time. Oracle has the concept of default roles: these roles are activated automatically when the session is created. The other roles can be enabled later if the user so desires.

    The 148 role limit applies to active roles, see for example this documentation link for oracle 10g: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6012.htm#sthref7227

    To disable roles from being default, use ALTER USER ... DEFAULT ROLE ..., see http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4003.htm#sthref5717

  2. Don't create any objects, even roles, when connected as SYSTEM. Instead you should be using an ordinary user to create a role and adding objects to it that is appropriate for that user's schema's objects. You will need to grant the CREATE ROLE system privilege to those users that need to own objects and have roles for them, but that's all part of the Oracle security model.

OTHER TIPS

The maximum number of user-defined roles that can be enabled for a single user at one time is 148.

You can pretty much create as many roles as you like - just don't enable them all at once.

When you create a role (other than a user role), it is granted to you implicitly and added as a default role. You receive an error at login if you have more than MAX_ENABLED_ROLES. You can avoid this error by altering the user's default roles to be less than MAX_ENABLED_ROLES. Thus, you should change the DEFAULT ROLE settings of SYS and SYSTEM before creating user roles.

http://docs.oracle.com/cd/B10500_01/server.920/a96521/privs.htm#15539

e.g.

ALTER USER SYSTEM DEFAULT ROLE DBA
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top