Security Implications of the Managing Grantees and Managing Roles Options

A role can be granted to another role as a grantee (member) or as an underlying role. Each grant type has different security inheritance implications.

Grantees are members granted directly to a role. A grantee can be either a user or another role. Granting membership in a role allows grantees to inherit all system privileges and underlying roles of the role.

When granting a role to another role, the role can be granted as a grantee (member)) or as an underlying role.

When a role is granted as a member, each member of the role being granted (the child role) becomes a grantee of the receiving role (the parent role). Each new grantee inherits all system privileges and roles already granted to the parent role, while still retaining all system privileges and roles from the child role. Existing members of the parent role do not inherit any system privileges and roles from the child role.

When a role is granted as an underlying role, all system privileges and roles of the underlying role (child role) are inherited by all members of the receiving role (parent role). However, members of the child role do not become members of the parent role.

Consider the following:

There are three users: User1, User2, User3.
There are five roles: Role1, Role2, Role3, Role4, Role5.
There are three system privileges: Priv1, Priv2, Priv3.

Grant a role as a member:

Role1 is granted Priv1 and Role4.
User1 and User2 are members of Role1.
Role2 is granted Priv2 and Role5.
User3 is a member of Role2.
Role1 is made a member of Role2 (Manage Grantee).
As members of Role1, User1 and User2 (indirectly) become members of Role2 and inherit Priv2. Since Role4 is also a member of Role1, they also (indirectly) inherit all system privileges and roles granted to Role4.
As a member of Role2, User3 does not inherit Priv1 from Role1, or any system privileges or roles of Role4.

Grant a role as an underlying role:

Role1 is granted Priv1 and Role4.
User1 and User2 are members of Role1.
Role2 is granted Priv2 and Role5.
User3 is a member of Role2.
Role1 is made an underlying role of Role2 (Manage Roles).
As a member of Role2, User3 inherits the following from Role1: Priv1 and (indirectly) all system privileges and roles of Role4.
As members of Role1, User1 and User2 do not become members of Role2 and do not inherit Priv2 or any system privileges and roles granted to Role4.

As you can see, there is a significant difference in how system privileges and roles of a child role are inherited by the parent role and by whom. Use of the wrong grant method can lead to unexpected behavior and potential security concerns.