|
Assigning roles to a user uses the same syntax as the command that is used to grant a system privilege to the user, regardless of what privileges are in the role. The following command would grant the developer role to Amandya WITH ADMIN OPTION: GRANT ROLE developer TO Amandya WITH ADMIN OPTION; The user who creates the role is implicitly assigned WITH ADMIN OPTION. Any user who has been granted a role but has not been granted it WITH ADMIN OPTION requires the GRANT ANY ROLE system privileges to grant or revoke the role to and from other users.
Default RolesAny given user can be assigned many roles. A default role is a distinct subset of those roles automatically enabled whenever that user logs in. By default, all of a user's assigned roles are enabled whenever that user logs in without the need of a password. You can limit the default roles for a user with the ALTER USER command. The DEFAULT ROLE clause can only apply to roles that have already been granted directly to a user with the GRANT statement, not to embedded roles that have been granted to other roles. The DEFAULT ROLE clause cannot be used to enable the following:
The following is an example of the generic form of the DEFAULT ROLE clause: ALTER USER username DEFAULT ROLE {role [,role, role... |ALL [EXCEPT role [,role, role ... ] |NONE } ALL causes all the roles that have been granted to a user the default roles, except those listed in an EXCEPT clause. EXCEPT indicates that the roles following the keyword should be excluded from being default roles. NONE makes none of the granted roles the user default role.
Because roles have to be granted before they can be default roles, you cannot use the DEFAULT ROLE with the CREATE USER command. |
|