Entering content frame

Role Concept 

The database system supports a role concept. A role is a group of privileges that can be assigned to database users, user groups, or to other roles.

Procedure

       1.      The CREATE ROLE statement creates a role. Initially, the new role is empty. Only a database administrator (DBA user) can create roles. The name of a new role cannot be the same as the name of an existing role, user, or user group.

       2.      You use the GRANT statement to assign privileges to a role. You use the REVOKE statement to remove privileges from a role.

       3.      You can also use the GRANT statement together with the role name to assign a role to database users, user groups or other roles.

       4.      You use the ALTER USER or ALTER USERGROUP statement to specify which roles (assigned to a user or a user group) are used when opening a database session.

       5.      During a database session, you can use the SET statement to activate other roles assigned to the user or user group.
If a password has been defined for a role, users assigned to this role can only activate it by specifying the password in the SET statement.

Result

The existence and properties of a role are registered as metadata in the database catalog. A user who creates a role becomes the owner of this role.

Any roles assigned to the user with the ALTER USER or ALTER USERGROUP statements are activated when the database session is opened.

Roles are not active while data definition statements are being executed.

 

Leaving content frame