Replace current role administrators with new administrators.
The first approach is a two-step process: Add new role administrators, then remove existing administrators from the role. You must meet the minimum number of administrators requirement throughout; therefore, SAP recommends that you add new administrators before you remove existing ones. If the role has a global role administrator, it is retained unless you explicitly remove it.
You can issue the replacement role command as long as the replacement administrative option is equal to or higher than the current level. To lower the administrative level, first remove (revoke) all role administrators from the role, and then regranted them.
A minimum number of role or global role administrators (as defined by the MIN_ROLE_ADMINS database option) with a login password must exist for each role at all times. When replacing role administrators, if the number of replacement administrators violates the minimum requirement, the replacement fails.
Replacement Option | Statement |
---|---|
Replace select role administrators with administrative only rights; no role membership |
|
Replace select role administrators with administrative and role membership |
|
Replace all role administrators with administrative rights only; no role membership. Remove the global role administrator, if exists. |
CREATE OR REPLACE ROLE role_name WITH ADMIN ONLY admin_name [,...] |
Replace all role administrators with administrative rights and role membership. Remove the global role administrator, if exists. |
CREATE OR REPLACE ROLE role_name WITH ADMIN admin_name [,...] |
Replace all role administrators with administrative rights only including the global role administrator.* |
CREATE OR REPLACE ROLE role_name WITH ADMIN ONLY SYS_MANAGE_ROLES_ROLE, admin_name [,...] |
Replace all role administrators with full administrative rights. Restore the global role administrator to the role* |
|
Sales has Mary and Bob as role administrators with full administrative rights. Sales has a global role administrator.
Execute these statements to remove Bob as a role administrator and replace him with Sarah and Jeff, with the same administrative rights. Bob remains a member of Sales with no administrative rights.
GRANT ROLE sales TO Sarah, Jeff WITH ADMIN OPTION REVOKE ADMIN OPTION FOR ROLE Sales FROM Bob
Execute these statements to replace the existing role administrators (Mary and Bob) with Sarah and Jeff, with full administrative rights. Since the global role administrator cannot be included on the list (cannot be granted with full administrative rights), it must be explicitly regranted to the role after replacing the role administrators.
CREATE OR REPLACE ROLE Sales WITH ADMIN Sarah, Jeff GRANT ROLE sales TO SYS_MANAGE_ROLES_ROLE WITH ADMIN ONLY OPTION
Execute these statements to replace the existing role administrators (Mary and Bob) with Bob and Sarah with administrative rights only. To preserve the global role administrator, it must be included on the list. Since Bob is to remain as a role administrator, and originally had higher administrative rights than the new role administrators, he retains the original higher administrative rights.
CREATE OR REPLACE ROLE Sales WITH ADMIN ONLY Bob, Sarah, SYS_MANAGE_ROLES_ROLE