RelationalDBDesignRelationalDBDesign


Security Roles   «Prev  Next»
Lesson 6Password protected roles
ObjectiveCreate password-protected roles.

Password Protected Roles

The primary method for authenticating users is the logon/password pair. No user can access anything in an Oracle database without first logging on. Occasionally you may want to add an additional level of security to a particular role.

Authorizing roles

You can add authorization to a role by adding the keyword IDENTIFIED to the basic CREATE ROLE statement. There are three ways to do this:
  1. You can require a password for access, using the keyword BY and the password, as in the command:

CREATE ROLE BIDDER IDENTIFIED 
BY bidder;

Using this method assigns a single password to the role, and when a user attempts to assign the role using the
SET ROLE
command, they will have to supply a password.
  1. The operating system can authorize use of the role, if you use the EXTERNAL keyword. To do this, you must also create roles whose names match the roles defined in the operating system, and you can only enable roles that are associated with the user by the operating system.
  2. You can use the Oracle Security Service to authorize use of the role, by using the GLOBALLY keyword.
The next lesson is about granting users the ability to administer roles.