Home » Oracle Database Administration » Oracle CREATE ROLE

Oracle CREATE ROLE

Summary: in this tutorial, you will learn how to use the Oracle CREATE ROLE statement to create roles in the Oracle Database.

Introduction to Oracle CREATE ROLE statement

A role is a group of privileges. Instead of granting individual privileges to users, you can group related privileges into a role and grant this role to users. Roles help manage privileges more efficiently.

To create a new role, you use the CREATE ROLE statement. The basic syntax of the CREATE ROLE statement is as follows:

CREATE ROLE role_name
[IDENTIFIED BY password]
[NOT IDENTIFIED]Code language: SQL (Structured Query Language) (sql)

In this syntax:

  • First, specify the name of the role that you want to create.
  • Second, use IDENTIFIED BY password option to create a local role and indicate that the user, who was granted the role, must provide the password to the database when enabling the role.
  • Third, use NOT IDENTIFIED to indicate that the role is authorized by the database and that the user, who was granted this role, doesn’t need a password to enable the role.

After a role is created, it is empty. To grant privileges to a role, you use the GRANT statement:

GRANT {system_privileges | object_privileges} TO role_name;Code language: SQL (Structured Query Language) (sql)

In addition, you can use the GRANT statement to grant privileges of a role to another role:

GRANT role_name TO another_role_name;
Code language: SQL (Structured Query Language) (sql)

Oracle CREATE ROLE statement examples

Let’s take some examples of using the CREATE ROLE statement.

1) Using Oracle CREATE ROLE without a password example

First, create a new role named mdm (master data management) in the sample database:

CREATE ROLES mdm;Code language: SQL (Structured Query Language) (sql)

Second, grant object privileges on customers, contacts, products, product_categories, warehouses, locations, employees tables to the mdm role:

GRANT SELECT, INSERT, UPDATE, DELETE
ON customers
TO mdm;

GRANT SELECT, INSERT, UPDATE, DELETE
ON contacts
TO mdm;

GRANT SELECT, INSERT, UPDATE, DELETE
ON products
TO mdm;

GRANT SELECT, INSERT, UPDATE, DELETE
ON product_categories
TO mdm;

GRANT SELECT, INSERT, UPDATE, DELETE
ON warehouses
TO mdm;

GRANT SELECT, INSERT, UPDATE, DELETE
ON locations
TO mdm;

GRANT SELECT, INSERT, UPDATE, DELETE
ON employees
TO mdm;Code language: SQL (Structured Query Language) (sql)

Third, create a new user named alice and grant the CREATE SESSION privilege to alice:

CREATE USER alice IDENTIFIED BY abcd1234;

GRANT CREATE SESSION TO alice;
Code language: SQL (Structured Query Language) (sql)

Fourth, log in to the database as alice:

Enter user-name: alice@pdborcl
Enter password:Code language: SQL (Structured Query Language) (sql)

and attempt to query data from the ot.employees table:

SELECT * FROM ot.employees;
Code language: SQL (Structured Query Language) (sql)

Oracle issued the following error:

ORA-00942: table or view does not exist
Code language: SQL (Structured Query Language) (sql)

Go back to the first session and grant alice the mdm role:

GRANT mdm TO alice;
Code language: SQL (Structured Query Language) (sql)

Go to the Alice’s session and enable the role using the SET ROLE statement:

SET ROLE mdm;Code language: SQL (Structured Query Language) (sql)

To query all roles of the current user, you use the following query:

SELECT * FROM session_roles;Code language: SQL (Structured Query Language) (sql)

Here is the role of alice:

ROLE
------
MDM
Code language: SQL (Structured Query Language) (sql)

Now, alice can manipulate data in the master data tables such as customers and employees.

2) Using Oracle CREATE ROLE to create a role with IDENTIFIED BY password example

First, create a new role named order_entry with the password xyz123:

CREATE ROLE order_entry IDENTIFIED BY xyz123;Code language: SQL (Structured Query Language) (sql)

Next, grant object privileges of the orders and order_items tables to the order_entry role:

GRANT SELECT, INSERT, UPDATE, DELETE
ON orders
TO order_entry;

GRANT SELECT, INSERT, UPDATE, DELETE
ON order_items
TO order_entry;Code language: SQL (Structured Query Language) (sql)

Then, grant the order_entry role to the user alice:

GRANT order_entry TO alice;Code language: SQL (Structured Query Language) (sql)

After that, log in as alice and enable the order_entry role by using the SET ROLE statement:

SET ROLE 
    order_entry IDENTIFIED BY xyz123,
    mdm;Code language: SQL (Structured Query Language) (sql)

Finally, use the following statement to get the current roles of alice:

SELECT * FROM session_roles;Code language: SQL (Structured Query Language) (sql)

Here are the current roles of alice:

ROLE
-------------
MDM
ORDER_ENTRYCode language: SQL (Structured Query Language) (sql)

In this tutorial, you have learned how to use the Oracle CREATE ROLE statement to create roles in the database.

Was this tutorial helpful?
How to List Users in the Oracle Database
Previously
How to List Users in the Oracle Database
Up Next
Oracle SET ROLE
Oracle SET ROLE