Grant Compatibility Roles

Granting a compatibility role is semantically equivalent to granting each of its underlying system privileges and roles.

You can drop compatibility roles once each of the system privileges granted to a compatibility role have been granted to at least one user-defined role. You cannot modify individual system privileges within each compatibility role. With the exception of the SYS_AUTH_SA_ROLE, SYS_AUTH_SSO_ROLE, and SYS_AUTH_DBA_ROLE roles, compatibility roles can be dropped at any time, if not required. You can re-create any dropped compatibility role, if needed.

Use the compatibility roles SYS_AUTH_SA_ROLE and SYS_AUTH_SSO_ROLE to administer and grant all individual system privileges in a new database. The union of the system privileges of these two roles are granted to the compatibility role SYS_AUTH_DBA_ROLE. By default, SYS_AUTH_DBA_ROLE is granted to the DBA user with administrative privileges. Thus, all system privileges are initially granted to the DBA user.

To migrate all system privileges within a specific compatibility role to a single user-defined role, use the ALTER ROLE statement with the MIGRATE clause.

You can grant and revoke users or other roles to compatibility roles.

• Granting SYS_AUTH_SA_ROLE
  Allows users to perform authorized tasks pertaining to data and system administration responsibilities.
• Granting SYS_AUTH_SSO_ROLE
  Grant to allow users to perform authorized tasks pertaining to security and access control responsibilities.
• Granting SYS_AUTH_DBA_ROLE
  Grant to allow users to perform all authorized tasks.
• Granting SYS_AUTH_BACKUP_ROLE
  Grant to allow users to perform all backups.
• Granting SYS_AUTH_MULTIPLEX_ADMIN_ROLE
  Grant to allow users to perform authorized tasks to manage Multiplex.
• Granting SYS_AUTH_OPERATOR_ROLE
  Grant to allow users to checkpoint databases, drop connections (including those for users with SYS_AUTH_DBA_ROLE), back up databases, and monitor the system.
• Granting SYS_AUTH_PERMS_ADMIN_ROLE
  Grant to allow users to manage data privileges, groups, authorities, and passwords.
• Granting SYS_AUTH_PROFILE_ROLE
  Grant to allow users to enable/disable server tracing for application profiling.
• Granting SYS_AUTH_READFILE_ROLE
  Grant to allow users to read to a file resident on the server machine.
• Granting SYS_AUTH_READCLIENTFILE_ROLE
  Grant to allow users to read to a file resident on the client machine.
• Granting SYS_RUN_REPLICATION_ROLE
  This role is required for performing replication tasks using dbremote and synchronization tasks using dbmlsync.
• Granting SYS_AUTH_RESOURCE_ROLE
  Grant to allow users to create new database objects, such as tables, views, indexes, or procedures.
• Granting SYS_AUTH_SPACE_ADMIN_ROLE
  Grant to allow users to manage dbspaces.
• Granting SYS_AUTH_USER ADMIN_ROLE
  Grant to allow users to manage external logins, login policies, and other users.
• Granting SYS_AUTH_VALIDATE_ROLE
  Grant to allow users to validate or check tables, materialized views, indexes or databases in the system store that are owned by any user.
• Granting SYS_AUTH_WRITEFILE_ROLE
  Grant to allow users to write to a file resident on the server machine.
• Granting SYS_AUTH_WRITECLIENTFILE_ROLE
  Grant to allow users to write to a file resident on the client machine.