Role and Global Role Administrators

Role administrators and global role administrators grant and revoke user-defined roles to users and other roles. You can add and remove role and global role administrators on a role as needed.

There is no maximum number of role administrators that can be granted to a single role. However, there is a minimum number, as specified by the configurable MIN_ROLE_ADMINS database option. This minimum requirement is validated before you can revoke a role administrator or global role administrator from a role. The minimum number of role administrators can be set to any value between 1 (default) and 10.

A role administrator can be a user, a user-extended role, or a user-defined role.

Global role administrators include users who are granted the MANAGE ROLES system privilege. Global role administrators can administer any role to which the SYS_MANAGE_ROLES_ROLE system privilege has been granted with administrative rights.

Both role and global role administrators can grant, revoke, and drop roles, and can add or remove role and global role administrators to and from a role. A role administrator can be a user or a role and does not require the MANAGE ROLES system privilege to administer a role.

You can appoint role administrators either when creating the role or after the role has been created, and indicate whether they are also to be members of the role. If you do not specify any administrators, the global role administrator is, by default, the administrator of the role.

If at least one role administrator is specified during role creation, global role administrators cannot manage the role because the SYS_MANAGE_ROLES_ROLE system privilege is not automatically granted to the role with administrative rights. For this reason, SAP strongly recommends that you either do not define any role administrators when creating a role (add them after creation), or explicitly grant the SYS_MANAGE_ROLES_ROLE system privilege with administrative rights only along with any role administrators during the

If you do not specify a role administrator when you create a role, the global role administrator (SYS_MANAGE_ROLES_ROLE system privilege) is automatically granted to the role with administrative-only rights.

By default, the SYS_MANAGE_ROLES_ROLE system privilege is not granted to compatibility roles (SYS_AUTH_*_ROLE). Therefore, to allow global role administrators to manage a compatibility role, you must explicitly grant SYS_MANAGE_ROLES_ROLE with administrative rights only to the role.

• Adding a Role Administrator When Creating a Role
  Specify a role administrator when creating a new role.
• Adding the Global Role Administrator When Creating a Role
  Allow global role administrators to administer a new role.
• Adding Role Administrators to an Existing Role
  Add role administrators to an existing role. There is no maximum number of role administrators that can be granted to a single role.
• Adding the Global Role Administrator to an Existing Role
  Add the global role administrator to an existing role.
• Making a User or Role a Global Role Administrator
  Allow a user or role to act as a global role administrator.
• Replacing Existing Role Administrators on a Role
  Replace current role administrators with new administrators.
• Removing a Role Administrator from a Role
  Remove a role administrator from a role.
• Removing the Global Role Administrator from a Role
  Remove the global role administrator from a role.
• Minimum Number of Role Administrators
  The MIN_ROLE_ADMINS database option is a configurable value that ensures you never create a scenario where there are no users and roles left with sufficient system privilege to manage the remaining users and roles.
• DBA User Unable to Administer a Role
  Under several circumstances, the DBA user might be unable to manage (grant, revoke, or drop) a role.