Minimum Number of Role Administrators

The MIN_ROLE_ADMINS database option is a configurable value that ensures you never create a scenario where there are no users and roles left with sufficient system privilege to manage the remaining users and roles.

This value applies to the minimum number of role administrators for each role, not for the total number of roles, and is considered when you:

Create or Revoke roles
Drop users or roles
Change a user's password to null
Note: Users or roles without passwords cannot be administrators.

When you attempt to change this value, the system validates that each existing role continues to have at least as many role administrators as defined by the new value. If even one role fails to meet this requirement, the statement fails. Similarly, when dropping users, if the number of remaining administrators drops below the designated minimum value, the statement fails.

Note: Locked accounts are not considered when counting the number of administrators for a role.

Example 1

MIN_ROLE_ADMINS value is 2

Role1 has two administrators and Role2 has three administrators.

If you reduce the value to 1, the command succeeds because both roles still have the new designated minimum number of role administrators. However, if you increase the value to 3, the command fails because Role1 no longer has sufficient administrators to meet the new minimum value.

Example 2

MIN_ROLE_ADMINS value is 4

Role1 has six administrators and Role2 has four administrators.

If you drop a user from Role1, the command succeeds because Role1 still has sufficient administrators to meet the minimum value. However, if you drop a user from Role2, the command fails because Role2 no longer has sufficient administrators to meet the minimum value.