Replace current role administrators with new administrators.
The first approach is a two step process. It involves adding new role administrators and removing existing administrators from the role. Since the minimum number of administrators requirement must be met at all times through the process, it is recommended that you add before you remove. With this approach, if the role has a global role administrator, it is retained unless it is explicitly removed.
The replacement role command can be issued as long as the replacement administrative option is equal to or higher than the current level. To lower the administrative level, all role administrators must first be removed (revoked) from the role and then be regranted.
A minimum number of role or global role administrators (as defined by the MIN_ROLE_ADMINS database option) with a login password must exist for each role at all times. When replacing role administrators, if the number of replacement administrators would violate the minimum requirement, the replacement fails.
Replacement Option | Statement |
---|---|
Replace select role administrators with administrative only rights; no role membership |
|
Replace select role administrators with administrative and role membership |
|
Replace all role administrators with administrative rights only; no role membership. Remove the global role administrator, if exists. |
CREATE OR REPLACE ROLE role_name WITH ADMIN ONLY admin_name [,...] |
Replace all role administrators with administrative rights and role membership. Remove the global role administrator, if exists. |
CREATE OR REPLACE ROLE role_name WITH ADMIN admin_name [,...] |
Replace all role administrators with administrative rights only, including the global role administrator.* |
CREATE OR REPLACE ROLE role_name WITH ADMIN ONLY SYS_MANAGE_ROLES_ROLE, admin_name [,...] |
Replace all role administrators with full administrative rights. Restore the global role administrator to the role* |
|
Sales has Mary and Bob as role administrators with full administrative rights. Sales has a global role administrator.
Execute these statements to remove Bob as a role administrator and replace him with Sarah and Jeff, with the same administrative rights. Bob remains a member of Sales with no administrative rights.
GRANT ROLE sales TO Sarah, Jeff WITH ADMIN OPTION REVOKE ADMIN OPTION FOR ROLE Sales FROM Bob
Execute these statements to replace the existing role administrators (Mary and Bob) with Sarah and Jeff, with full administrative rights. Since the global role administrator cannot be included on the list (cannot be granted with full administrative rights), it must be explicitly regranted to the role after replacement of the role administrators.
CREATE OR REPLACE ROLE Sales WITH ADMIN Sarah, Jeff GRANT ROLE sales TO SYS_MANAGE_ROLES_ROLE WITH ADMIN ONLY OPTION
Execute these statements to replace the existing role administrators (Mary and Bob) with Bob and Sarah with administrative rights only. To preserve the global role administrator, it must be included on the list. Since Bob is to remain as a role administrator, and originally had higher administrative rights than the new role administrators, he retains the original higher administrative rights.
CREATE OR REPLACE ROLE Sales WITH ADMIN ONLY Bob, Sarah, SYS_MANAGE_ROLES_ROLE