Migrating a Compatibility Role

Migrate all underlying system privileges of a compatibility role to a user-defined role.

Prerequisites

Administrative privilege over the role being migrated, and the MANAGE ROLES system privilege.

Task

Compatibility roles are immutable, but they can be migrated in their entirety to a new user-defined role. Once migrated, the compatibility role is automatically dropped. This process is systematically equivalent to individually granting each underlying system privilege to a user-defined role, then manually dropping the compatibility role.

During migration:

A new user-defined role is created.
All of the system privileges currently granted to the migrating compatibility role are automatically granted to the new user-defined role.
All users and roles currently granted to the migrating compatibility role are automatically granted to the new user-defined role.
Administrators of the compatibility role continue to be the administrators of the new migrated role.
The compatibility role is dropped.

You cannot use ALTER ROLE to migrate the compatibility roles SYS_AUTH_SA_ROLE and SYS_AUTH_SSO_ROLE. SYS_AUTH_SA_ROLE and SYS_AUTH_SSO_ROLE are automatically migrated when SYS_AUTH_DBA_ROLE is migrated.

To migrate a compatibility role, execute one of the following statements:

Compatibility Role	Statement
SYS_AUTH_DBA_ROLE SYS_AUTH_DBA_ROLE is successfully migrated if: SYS_AUTH_DBA_ROLE has not already been dropped. The names of the new roles do not begin with the prefix SYS_ or end with the suffix _ROLE. The names of the three new roles do not already exist in the database.	ALTER ROLE `SYS_AUTH_DBA_ROLE` MIGRATE TO `new_role_name, new_sa_role_name, new_sso_role_name`
Any other compatibility role The compatibility role is successfully migrated if: The compatibility role being migrated has not already been dropped. The name of the new role does not begin with the prefix SYS_ or end with the suffix _ROLE. The name of the new role does not already exist in the database.	ALTER ROLE `compatibility_sys_role_name` MIGRATE TO `new_role_name`

Compatibility Role

Statement

SYS_AUTH_DBA_ROLE

SYS_AUTH_DBA_ROLE is successfully migrated if:
SYS_AUTH_DBA_ROLE has not already been dropped.

The names of the new roles do not begin with the prefix SYS_ or end with the suffix _ROLE.

The names of the three new roles do not already exist in the database.

ALTER ROLE SYS_AUTH_DBA_ROLE

MIGRATE TO new_role_name, new_sa_role_name, new_sso_role_name

Any other compatibility role

The compatibility role is successfully migrated if:
The compatibility role being migrated has not already been dropped.

The name of the new role does not begin with the prefix SYS_ or end with the suffix _ROLE.

The name of the new role does not already exist in the database.

ALTER ROLE compatibility_sys_role_name

MIGRATE TO new_role_name

The following statements migrate the SYS_AUTH_DBA_ROLE to the new roles Custom_DBA, Custom_SA, and Custom_SSO, respectively, and migrate the SYS_AUTH_OPERATOR_ROLE role to the new role Operator_role. All users, underlying system privileges, and roles granted to the original roles are automatically migrated to the new roles. Finally, SYS_AUTH_DBA_ROLE, SYS_AUTH_SA_ROLE, SYS_AUTH_SSO_ROLE and SYS_AUTH_OPERATOR_ROLE are all dropped.

ALTER ROLE SYS_AUTH_DBA_ROLE
MIGRATE TO Custom_DBA, Custom_SA, Custom_SSO

ALTER ROLE SYS_AUTH_OPERATOR_ROLE
MIGRATE TO Operator_role