Security Roles   «Prev  Next»

Lesson 2 What is a role?
Objective Understand how database roles are used

How Database Roles are used

A role [1] is a way to group a series of security privileges[2] into a single entity. You can then use the role as a management tool for assigning and changing security privileges for individual users that are assigned the role. A role is an intermediary between individual object grants and individual users. You assign a set of privileges to a role, and then assign users to that role.

Advantages of roles

You can use roles to simplify security administration and implementation in four ways:
Simplified granting of privileges: By grouping privileges into a role, you reduce the amount of effort needed to grant multiple privileges.
Simplified management of privileges: To change the object privileges for a group of users assigned to a role, you can change the privileges for the role instead of the privilegesfor each individual user
Dynamically changing security privileges: A user can assume more than one role, and can change roles while connected to the database. You can enable and disable roles as an administrator.
Application roles: You can create application roles, which allow all users of an application to have the same privileges while using the application.
The following SlideShow illustrates how roles work.
  1. There are 2 roles with 2 different set of privileges for the COIN table, the VIEW_COIN role, which only has SELECT privileges, and the ADD_COIN role, which can also INSERT and UPDATE rows
  2. User1 is initially assigned the VIEW_COIN role
  3. With this role, User1 can select data from the COIN table
  4. As long as User1 is only assigned the VIEW_COIN role, he or she cannot insert data into the table
  5. The same INSERT statement works fine when User 1 is assigned the ADD_COIN role

Using DBA Security granted By Roles Runtime
The next lesson shows how to create a role.
[1]Role: A collection of privileges that can be assigned together.
[2]Privilege: The capability to perform some type of database action.