Minimum Number of Role Administrators

The Minimum Number of Role Administrators (MIN_ROLE_ADMINS) option is a configurable value that ensures when dropping roles or users, you never create a scenario where there are no users and roles left with sufficient system privilege to manage the remaining users and roles.

The minimum number of role administrators value applies to the minimum number of role administrators for each role, not the minimum number or role administrators for the total number of roles, and is considered when:

Creating roles
Revoking roles
Dropping users or roles
Changing a user's password to null
Note: Users or roles without passwords cannot be administrators.

When you attempt to change this value, the system validates that each existing role continues to have at least as many role administrators as defined by the new value. If even one role fails to meet this requirement, the statement fails. Similarly, when dropping users, if the number of remaining administrators would drop below the designated minimum value, the statement fails.

Note: Locked accounts are not considered when counting the number of administrators for a role.

Example 1

MIN_ROLE_ADMINS =2

Role1 has two administrators and Role2 has three administrators.

If you attempt to reduce the min_role_admins value to 1, the command succeeds because both roles still have the new designated minimum number of role administrators. However, if you attempt to increase the value to 3, the command fails because Role1 would no longer have sufficient administrators to meet the new minimum value.

Example 2

MIN_ROLE_ADMINS =4

Role1 has six administrators and Role2 has four administrators.

If you attempt to drop a user from Role1, the command succeeds because Role1 still has sufficient administrators to meet the minimum value. However, if you attempt to drop a user from Role2, the command fails because Role2 would no longer have sufficient administrators to meet the minimum value.