Role administrators are responsible for granting and revoking user-extended roles to users and other roles. You can add and remove role administrators as needed.
There are two types of role administrators:
When you create a new role, you can appoint one or more role administrators to manage the role (grant and revoke membership in the role). If no role administrator is specified during the creation process, the MANAGE ROLES system privilege is automatically granted to the role with the Administrative Only privilege, which creates the global role administrator for a role. However, if at least one administrator is specified during the creation process, the MANAGE ROLES system privilege is not granted to the role and global role administrators will be unable to manage the role. For this reason, it is recommended that role administrators not be specified when creating a new role. They should be added after the fact. This ensures that every role can be successfully managed by both role and global role administrators.
A role administrator can add or remove other role administrators from a role, including global role administrators. Both role administrators and global role administrators can grant, revoke, and drop roles. A role administrator does not require the MANAGE ROLES system privilege to administer a role.
By default, at least one role administrator or global role administrator with a login password must exist at all times for each role. This minimum requirement is validated before you can remove the global role administrator or role administrator from a role, or remove a role administrator's administrative rights on a role. The minimum requirement is a configurable database option (MIN_ROLE_ADMINS).