User-Defined Roles

A user-defined role is a custom collection of system and object-level privileges, typically created to group privileges related to a specific task or set of tasks.

A user-defined role:

Can be a standalone object with no login privileges, which can own objects.
Can be a database user with the ability to act as a role (user-extended role). If the original user has login privileges, the user-extended role inherits the login privileges.
Can be granted privileges on other objects.
Can be granted privileges of other roles.
Has a case-insensitive name.

The granting of a user-defined role is semantically equivalent to individually granting each of its underlying system and object-level privileges.

A user-defined role can be granted with or without administrative rights. When granted with administrative rights, a user can manage (grant, revoke, and drop) the role, as well as use any of the underlying system and object-level privileges of the role. When granted with administrative rights only, a user can manage the role, but cannot use its underlying system and object-level privileges. When granted with no administrative rights, a user can use its underlying system and object-level privileges, but cannot manage the role.

Extending a user to act as a role is useful when you have a user with a set of system and object-level privileges that you want to grant to another user.

You cannot convert a user-defined role to a user-extended role, and vice versa.

When you grant a user-extended role to a user or another role, the grantee inherits all the system and object-level privileges that the user-extended role has, including any administration rights.

Note: Unless otherwise noted, the term user-defined role refers to both user-extended and user-defined roles.

Creating a User-Defined Role
Create a new user-defined role.
Converting an Existing User to a User-Extended Role
You can extend an existing user ID to act as a role. If an original user has login privileges, the user-extended role retains the login privileges.
Converting a User-Extended Role Back to a User
You can convert a user-extended role back to a regular user.
Adding a User-Defined Role to a User or Role
Add membership in a user-defined role to a user or role (grantee), with or without administrative rights.
Removing Members from a User-Defined Role
Remove a user or role as a member of a role. The user or role loses the ability to use any underlying system privileges or roles of a role, along with the ability to administer the role, if granted.
Deleting a User-Defined Role
Delete a user-defined role from the database as long as all dependent roles retain the minimum required number of administrator users with active passwords after the drop. If the minimum value is not maintained, the command fails.
Role and Global Role Administrators
Role administrators and global role administrators are responsible for granting and revoking user-defined roles to users and other roles. You can add and remove role and global role administrators on a role as needed.

Parent topic: Roles