A role is a named collection of privileges. A role may be assigned to a user, but a user cannot be assigned to a role. For example, users can log in to the database; roles cannot. A user can own objects while a role cannot. The function of a role is to group logically associated privileges and allow those privileges to be passed to a user by referencing the role. Consequently, when a user is assigned (granted) a role, that user inherits all the privileges assigned to the role. If the role’s privileges are later changed, then the new privileges will be in effect the next time the user logs in to the database.
In an Oracle system, grants are issued on individual tables to
individual users. This sounds very simple, but when hundreds of
tables and users are involved, the implementation and management can
be very complex. The usual situation is for a manager to ask the DBA
ralph the same privileges that
mary has. If grants have been made to individual
users, the first task will be to find out what privileges
mary has, and then create a script to duplicate
those privileges, and finally to run that script to give
ralph the privileges.
The action of giving an employee the same privileges as another employee is much easier if roles are used. The DBA creates a role and grants some privileges to it. These privileges can be a mix of system and object privileges. In a financial system, there might be a FINCLERK role. This role could include the CREATE SESSION privilege to allow the ...