1. role 的功能：簡化用戶的權限管理

建立角色——給角色授權——將角色授予用戶/角色

2、查看系統建立的role

SYS @ prod > select * from dba_roles;

ROLE PASSWORD

------------------------------ --------

CONNECT NO

RESOURCE NO

DBA NO

SELECT_CATALOG_ROLE NO

EXECUTE_CATALOG_ROLE NO

DELETE_CATALOG_ROLE NO

EXP_FULL_DATABASE NO

IMP_FULL_DATABASE NO

RECOVERY_CATALOG_OWNER NO

GATHER_SYSTEM_STATISTICS NO

LOGSTDBY_ADMINISTRATOR NO

AQ_ADMINISTRATOR_ROLE NO

AQ_USER_ROLE NO

GLOBAL_AQ_USER_ROLE GLOBAL

SCHEDULER_ADMIN NO

HS_ADMIN_ROLE NO

AUTHENTICATEDUSER NO

OEM_ADVISOR NO

OEM_MONITOR NO

WM_ADMIN_ROLE NO

JAVAUSERPRIV NO

JAVAIDPRIV NO

JAVASYSPRIV NO

JAVADEBUGPRIV NO

EJBCLIENT NO

JAVA_ADMIN NO

JAVA_DEPLOY NO

CTXAPP NO

XDBADMIN NO

XDBWEBSERVICES NO

OLAP_DBA NO

OLAP_USER NO

MGMT_USER NO

PLUSTRACE NO

3、建立角色（ create role）

SYS @ prod > create role pub_role;

Role created.

SYS @ prod > create role prv_role identified by oralce;【帶口令的，一般非默認角色都應該加上口令，便於分配和管理】

Role created.

4、給角色授權

SYS @ prod > grant create session,create table to pub_role;

Grant succeeded.

SYS @ prod > grant select on scott.emp to prv_role;

Grant succeeded.

5、查看role 擁有的權限

——SYSTEM PRIVILEGE

SYS @ prod > select * from role_sys_privs where role=‘&name‘;

Enter value for name: DBA

old 1: select * from role_sys_privs where role=‘&name‘

new 1: select * from role_sys_privs where role=‘DBA‘

ROLE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

DBA CREATE SESSION YES

DBA ALTER SESSION YES

DBA DROP TABLESPACE YES

DBA BECOME USER YES

DBA DROP ROLLBACK SEGMENT YES

DBA SELECT ANY TABLE YES

DBA INSERT ANY TABLE YES

DBA UPDATE ANY TABLE YES

DBA READ ANY FILE GROUP YES

DBA CREATE EXTERNAL JOB YES

SYS @ prod > select * from role_sys_privs where role=‘&name‘;

Enter value for name: CONNECT

old 1: select * from role_sys_privs where role=‘&name‘

new 1: select * from role_sys_privs where role=‘CONNECT‘

ROLE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

CONNECT CREATE SESSION NO

SYS @ prod > select * from role_sys_privs where role=‘&name‘;

Enter value for name: RESOURCE

old 1: select * from role_sys_privs where role=‘&name‘

new 1: select * from role_sys_privs where role=‘RESOURCE‘ 【隱含unlimited tablespace 權限（可以在任何一個表空間上擁有配額）

如果將該角色分配給用戶，一般都會將該權限收回，再進行表空間配額的分配】

ROLE PRIVILEGE ADMIN_OPT

-------------------- ------------------------------ ---------

RESOURCE CREATE SEQUENCE NO

RESOURCE CREATE TRIGGER NO

RESOURCE CREATE CLUSTER NO

RESOURCE CREATE PROCEDURE NO

RESOURCE CREATE TYPE NO

RESOURCE CREATE OPERATOR NO

RESOURCE CREATE TABLE NO

RESOURCE CREATE INDEXTYPE NO

8 rows selected.

SYS @ prod > select * from role_sys_privs where role=‘&name‘;

Enter value for name: PUB_ROLE

old 1: select * from role_sys_privs where role=‘&name‘

new 1: select * from role_sys_privs where role=‘PUB_ROLE‘

ROLE PRIVILEGE ADMIN_OPT

-------------------- ------------------------------ ---------

PUB_ROLE CREATE TABLE NO

PUB_ROLE CREATE SESSION NO

——OBJECT PRIVILEGE

SYS @ prod > select * from role_tab_privs where role=‘&name‘;

Enter value for name: PRV_ROLE

old 1: select * from role_tab_privs where role=‘&name‘

new 1: select * from role_tab_privs where role=‘PRV_ROLE‘

ROLE OWNER TABLE_NAME COLUMN_NAME PRIVILEGE GRANTABLE

-------------------- --------------- --------------- --------------- -------------------- ---------------

PRV_ROLE SCOTT EMP SELECT NO

6、將role 分配給用戶

——【default role：當用戶建立session 時，用戶所分配的role 上的權限會立刻生效。

（如果不顯式指定，用戶所分配的role都是該用戶的default role，默認角色分配的權限一般都很少）】

SYS @ prod > create user tom identified by tom;

User created.

SYS @ prod > create user rose identified by rose;

User created.

SYS @ prod > alter user tom quota 10m on users;

User altered.

SYS @ prod > alter user rose quota 10m on users;

User altered.

SYS @ prod > grant pub_role,prv_role to tom,rose; ——【with admin option 用戶有權將role 分配給其他用戶】

Grant succeeded.

——【role 可以分配給用戶，也可以分配其他role，不能分配給自己。

SYS @ prod > select * from user_role_privs; ——【默認情況下，pub_role 和 prv_role 都是tom的 default role】

USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTE

--------------- ------------------------------ --------------- --------------- ---------

TOM PRV_ROLE NO YES NO

TOM PUB_ROLE NO YES NO

TOM RESOURCE NO YES NO

SYS @ prod > select * from scott.emp; 【tom 繼承了prv_role的object privilege】

EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO

---------- ---------- --------- ---------- --------- ---------- ---------- ----------

7369 SMITH CLERK 7902 17-DEC-80 800 20

7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30

7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30

7566 JONES MANAGER 7839 02-APR-81 2975 20

7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30

7698 BLAKE MANAGER 7839 01-MAY-81 2850 30

7782 CLARK MANAGER 7839 09-JUN-81 2450 10

7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40

7839 KING PRESIDENT 17-NOV-81 5000 10

7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30

7876 ADAMS CLERK 7788 23-MAY-87 1100 20

7900 JAMES CLERK 7698 03-DEC-81 950 30

7902 FORD ANALYST 7566 03-DEC-81 3000 20

7934 MILLER CLERK 7782 23-JAN-82 1300 10

SYS @ prod > create table emp as select * from scott.emp; ——【tom 繼承了pub_role的system privilege】

Table created.

【顯式指定默認 role（對於非default role 必須在啟用後，用戶才能繼承role 所具有的權限）】

SYS @ prod > conn /as sysdba

Connected.

SYS @ prod > alter user tom default role pub_role;

User altered.

SYS @ prod > conn tom/tom

Connected.

TOM @ prod > select * from user_role_privs;

USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTE

--------------- ------------------------------ --------------- --------------- ---------

TOM PRV_ROLE NO NO NO

TOM PUB_ROLE NO YES NO

TOM RESOURCE NO NO NO

TOM @ prod > select * from scott.emp;

select * from scott.emp

*

ERROR at line 1:

ORA-01031: insufficient privileges

【因為prv_role 是非 default role，所以tom 在建立session 不具有prv_role 的權限】

TOM @ prod > create table t1 (id int);

Table created.

TOM @ prod > set role prv_role;

set role prv_role

*

ERROR at line 1:

ORA-01979: missing or invalid password for role ‘PRV_ROLE‘

SYS @ prod > set role prv_role identified by oracle; ——【啟用非默認角色，如果有口令，需通過password 啟用】

Role set.

USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTE

--------------- ------------------------------ --------------- --------------- ---------

TOM ANNY_ROLE NO NO NO

TOM PRV_ROLE NO NO NO

TOM PUB_ROLE NO YES NO

TOM RESOURCE NO NO N

SYS @ prod > select * from scott.emp;

EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO

---------- ---------- --------- ---------- --------- ---------- ---------- ----------

7369 SMITH CLERK 7902 17-DEC-80 800 20

7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30

7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30

7566 JONES MANAGER 7839 02-APR-81 2975 20

7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30

7698 BLAKE MANAGER 7839 01-MAY-81 2850 30

7782 CLARK MANAGER 7839 09-JUN-81 2450 10

7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40

7839 KING PRESIDENT 17-NOV-81 5000 10

7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30

7876 ADAMS CLERK 7788 23-MAY-87 1100 20

7900 JAMES CLERK 7698 03-DEC-81 950 30

7902 FORD ANALYST 7566 03-DEC-81 3000 20

7934 MILLER CLERK 7782 23-JAN-82 1300 10

【啟用非 default role 後，用戶就具有了非default role 的權限】

7、角色回收（revoke）

SYS @ prod > revoke pub_role ,prv_role from tom,rose;

Revoke succeeded.

8、刪除角色（drop）

SYS @ prod > drop role pub_role;

Role dropped.

SYS @ prod > drop role prv_role;

Role dropped.

9、與角色有關的視圖

DBA_ROLES:

DBA_ROLE_PRIVS:

ROLE_ROLE_PRIVS:

DBA_SYS_PRIVS:

ROLE_SYS_PRIVS:

ROLE_TAB_PRIVS:

SESSION_ROLES: