Security Roles   «Prev  Next»
Lesson 10 Listing user roles
Objective List roles granted to user

List roles granted to user

The previous lesson explained the data dictionary views that contain information about roles and their privileges. There are also data dictionary views that advise you on the particular roles assigned to a particular user.

Listing roles for user

The primary data dictionary view used to describe the roles for a user is USER_ROLE_PRIVS. This view contains the following columns:
Role What it determines
USERNAME The name of the user, or the group PUBLIC
GRANTED_ROLE The name of the role
ADMIN_OPTION Whether the role was granted with the ADMIN OPTION
DEFAULT_ROLE Whether the role is a default role for the user
OS_GRANTED Whether the role was granted by the operating system, as when the role was created with the IDENTIFIED EXTERNALLY option

Some of this information is also available through the DBA_ROLE_PRIVS view, which contains columns for GRANTEE, the recipient of the role; GRANTED_ROLE, for the role name; ADMIN_OPTION; and DEFAULT_ROLE. The DBA view contains this information for all roles for all users.

Listing available roles

There is also a view that you can use to find out the current roles for a user.
The SESSION_ROLES view lists the current roles for the current user.
These two views, along with the data dictionary views mentioned previously, can be used to illustrate how roles and privileges work in the following simulation.
  1. You have started SQL*Plus. At the login box, enter |||(S1)BID1|||(S0) as both the User Name and Password (using the Tab key to move between text boxes) and then press Enter.
  2. (S0)Enter |||(S1)BID1|||(S0) in the User Name box.
  3. (S0)Enter |||(S1)BID1|||(S0) in the Password box and click OK.
  4. Once the SQL*Plus environment starts, enter |||(S1)SELECT * FROM SESSION_ROLES;|||(S0) at the prompt and then press Enter to list the current session roles for the user.
  5. SELECT * FROM SESSION_ROLES;
  6. (S1)SELECT * FROM SESSION_ROLES;|||(S0) is the correct syntax. Don't forget to press the Enter key.
  7. The current roles assigned to the user BID1 are listed. These are all default roles. The BROWSER role gives the SELECT privilege on the BID table in the COIN schema to the user. To test these privileges, select all the columns from the COIN.BID table by entering |||(S1)SELECT * FROM COIN.BID;|||(S0) at the prompt and pressing enter.
  8. SELECT * FROM COIN .BID;
  9. (S1)SELECT * FROM COIN.BID;|||(S0) is the correct syntax. Don't forget to press the Enter key.
  10. To take away this privilege, you can simply reassign the BIDDER role to the user by entering |||(S1)SET ROLE BIDDER;|||(S0) at the prompt and pressing Enter.
  11. SET ROLE BIDDER;
  12. (S1)SET ROLE BIDDER;|||(S0) is the correct syntax. Don't forget to press the Enter key.
  13. To check the result of this command, query the SESSION_ROLES view again by entering |||(S1)SELECT * FROM SESSION_ROLES;|||(S0) at the prompt and pressing Enter.
  14. SELECT * FROM SESSION_ROLES;
  15. (S1)SELECT * FROM SESSION_ROLES;|||(S0) is the correct syntax. Don't forget to press the Enter key.
  16. Now try to query the COIN.BID table again, using the same syntax you learned in step 3 of this simulation.
  17. SELECT * FROM COIN.BID;
  18. (S1)SELECT * FROM COIN.BID;|||(S0) is the correct syntax. Don't forget to press the Enter key.
  19. Without the SELECT privilege granted to the BROWSER role, you can no longer see the data in the COIN.BID table. This is the end of the simulation. Click Exit.

DBA using Roles
The next lesson shows how to get rid of a role.