Converting an Existing User to a User-Extended Role

You can extend an existing user ID to act as a role. This is useful when you have a user who is assigned a set of system and object-level privileges that you want to grant to another user.

Prerequisites

MANAGE ROLES system privilege.

Task

If an existing ID has login privileges, the user-extended role retains the login privileges.

When converting a user to act as a role, you can appoint administrators for the role, and indicate whether they are also to be members of the role. If you do not specify any administrators, the global role administrator (any user granted the MANAGE ROLES system privilege) becomes the default administrator of the role.

However, if at least one role administrator is specified during conversion, global role administrators cannot manage the role because the SYS_MANAGE_ROLES_ROLE system privilege is not automatically granted to the role with administrative rights. For this reason, SAP strongly recommends that you either do not define any role administrators when creating a role (add them after creation), or explicitly grant the SYS_MANAGE_ROLES_ROLE system privilege with administrative rights only along with any role administrators during the conversion process.

You can add or remove role administrators can be added and removed after converting a user. If you attempt to convert a user using a user ID that does not exist, the statement fails.

To convert an existing user, execute one of these statements:

Convert Condition	Statement
Global role administrator only; no role administrators	CREATE ROLE FOR USER `userID`
Role administrators with no role membership; no global role administrator	CREATE ROLE FOR USER `userID` WITH ADMIN ONLY `admin_name [,...]`
Role administrators with role membership; no global role administrator^*	CREATE ROLE FOR USER `userID` WITH ADMIN `admin_name [,...]`
Role administrators with no role membership; global role administrator^*	CREATE ROLE FOR USER `userID` WITH ADMIN ONLY SYS_MANAGE_ROLES_ROLE, `admin_name [,...]`

^*Since global role administrators cannot be granted membership in a role, you cannot include SYS_MANAGE_ROLES_ROLE in the administrators list when creating a role with role administrators granted membership in the role (WITH ADMIN option). It can, however, be included when creating a role with role administrators not granted membership in the role (WITH ADMIN ONLY option).

Example:

This statement extends user Sales1 to act as a role. Since no role administrators are specified, any user with the MANAGE ROLES system privilege can administrator the role.

CREATE ROLE FOR USER Sales1

This statement extends the user Marketing1 to act as a role, with Jane and Bob acting as role administrators. It also allows global role administrators to manage the role.

CREATE ROLE FOR USER Marketing1 WITH ADMIN ONLY SYS_MANAGE_ROLES_ROLE, Jane, Bob