System privileges let you control access to authorized system operations. Each privileged database task on the server requires specific system privileges. System privileges can be granted individually to users or roles.
When a system privilege is granted to a role, all members of the role inherit the system privilege. All new members of a role automatically inherit all of the underlying system privileges of a role.
Each system privilege, with the exception of the SET USER system privilege, is granted by default to either the SYS_AUTH_SA_ROLE or SYS_AUTH_SSO_ROLE role, but not both. The exception, SET USER system privilege, is granted in both roles. Some select system privileges are also vested in other predefined system roles.
Individually granting the underlying system privileges of a role is semantically equivalent to granting the role itself. System privileges can be granted to multiple user-defined system roles in any combination to meet the functional security requirements of an organization.
With the exception of MANAGE ROLES and UPGRADE ROLE, system privileges cannot be modified. They can be granted to and revoked from roles and users, but they cannot be dropped or own objects.