Migrate all underlying system privileges of a compatibility role to a user-defined role.
Compatibility roles are immutable, but you can migrate them in their entirety to a new user-defined role. Once migrated, the compatibility role is automatically dropped. This process is systematically equivalent to individually granting each underlying system privilege to a user-defined role, then manually dropping the compatibility role.
During migration:
The name of the new role cannot already exist, or begin with the prefix SYS_ and end with the suffix _ROLE when migrating a compatibility role.
Compatibility Role | Statement |
---|---|
SYS_AUTH_DBA_ROLE |
ALTER ROLE SYS_AUTH_DBA_ROLE MIGRATE TO new_dba_role_name, new_sa_role_name, new_sso_role_name |
Any other compatibility role |
ALTER ROLE compatibility_sys_role_name MIGRATE TO new_role_name |
The following statement migrates SYS_AUTH_DBA_ROLE to the new roles Custom_DBA_Role, Custom_SA_Role, and Custom_SSO_Role, respectively.
ALTER ROLE SYS_AUTH_DBA_ROLE MIGRATE TO Custom_DBA_Role, Custom_SA_Role, Custom_SSO_Role
This statement migrates the SYS_AUTH_OPERATOR_ROLE role to the new role Custom_Operator_role.
ALTER ROLE SYS_AUTH_OPERATOR_ROLE MIGRATE TO Custom_Operator_Role
In both examples, all users, underlying system privileges, and roles granted to the original roles are automatically migrated to the new roles, then SYS_AUTH_DBA_ROLE, SYS_AUTH_SA_ROLE, SYS_AUTH_SSO_ROLE and SYS_AUTH_OPERATOR_ROLE are dropped.