Oracle Roles
Version 12.1.0.2

General Information
Library Note Morgan's Library Page Footer
The Library is currently in the process of being upgraded from Oracle Database Version 11.2.0.3 to 12.1.0.1. Demos are being upgraded to reflect the new Container paradigm as well as EBR (Edition Based Redefinition) and may contain references to CDBs, PDBs, and other objects you may not be familiar with such as CDB_OBJECTS_AE: Welcome to 12c.
Notes
  • The maximum number of roles that can be enabled for a single session is 148. A small maximum value can be set with the init parameter MAX_ENABLED_ROLES
  • A common role must have a name that begins with C##.
  • Roles can contain system privileges
  • Roles can contain object privileges
  • Roles can contain roles
  • Object privileges granted through roles do not work within PL/SQL objectsw unless those permissions must be granted explicitly to the user by defining the object with invoker (CURRENT_USER) rights
Data Dictionary Objects
CDB_ROLES ROLE_ROLE_PRIVS USER_APPLICATION_ROLES
CDB_ROLE_PRIVS ROLE_SYS_PRIVS USER$
DBA_ROLES ROLE_TAB_PRIVS USER_ROLE_PRIVS
DBA_ROLE_PRIVS SESSION_ROLES V$PWFILE_USERS
DEFROLE$    
Related System Privileges
ALTER ANY ROLE DROP ANY ROLE GRANT ANY ROLE
CREATE ROLE    
Page Sections
 
Creating CDB Roles
Create Role CREATE ROLE <role_name> [NOT IDENTIFIED] CONTAINER = <ALL | CURRENT>;
CREATE ROLE read_only;
or
CREATE ROLE read_only NOT IDENTIFIED;
Create Password Protected Role CREATE ROLE <role_name> IDENTIFIED BY <password>;
CREATE ROLE read_only IDENTIFIED BY "S0^Sorry";
Create Package Protected Role CREATE ROLE <role_name> IDENTIFIED USING <schema_name>.<package_name>.<procedure_name>;
conn c##uwclass/c##uwclass@pdbdev

CREATE OR REPLACE PACKAGE db_security AUTHID CURRENT_USER IS
  PROCEDURE enable_role;
END db_security;
/

CREATE OR REPLACE PACKAGE BODY db_security IS
 PROCEDURE enable_role IS
 BEGIN
   dbms_session.set_role('read_only');
 END enable_role;
END db_security;
/

col schema format a20
col package format a30

SELECT * FROM dba_application_roles;

CREATE ROLE read_only IDENTIFIED USING db_security;

SELECT * FROM dba_application_roles;

GRANT select on uwclass.airplanes TO read_only;
GRANT execute ON db_security TO uwclass;
GRANT x2dba TO scott;
ALTER USER scott DEFAULT ROLE connect, resource;

conn scott/tiger

SELECT * FROM user_role_privs;

SELECT * FROM session_roles;

-- this time it will fail
SELECT * FROM uwclass.airplanes;

exec uwclass.db_security.enable_role;

-- this time it will succeed
SELECT * FROM uwclass.airplanes;
Identified Externally CREATE ROLE <role_name> IDENTIFIED EXTERNALLY;
CREATE ROLE dba IDENTIFIED EXERNALLY;
Identified Globally CREATE ROLE <role_name> IDENTIFIED GLOBALLY;
CREATE ROLE dba IDENTIFIED GLOBALLY;
 
Creating PDB Roles
Create Role CREATE ROLE <role_name> [NOT IDENTIFIED] CONTAINER = <ALL | CURRENT>;
CREATE ROLE read_only CONTAINER = CURRENT;
or
CREATE ROLE c##read_only NOT IDENTIFIED;
Create Password Protected Role CREATE ROLE <role_name> IDENTIFIED BY <password>;
CREATE ROLE dba IDENTIFIED BY "S0^Sorry";
Create Package Protected Role CREATE ROLE <role_name> IDENTIFIED USING <schema_name>.<package_name>.<procedure_name>;
CREATE OR REPLACE PACKAGE db_security AUTHID CURRENT_USER IS
 PROCEDURE enable_role;
END db_security;
/

CREATE OR REPLACE PACKAGE BODY db_security IS
 PROCEDURE enable_role IS
 BEGIN
   dbms_session.set_role('x2dba');
 END enable_role;
END db_security;
/

SELECT * FROM dba_application_roles;

CREATE ROLE x2dba IDENTIFIED USING uwclass.db_security;

SELECT * FROM dba_application_roles;

GRANT select on uwclass.airplanes TO x2dba;
GRANT execute ON db_security TO scott;
GRANT x2dba TO scott;
ALTER USER scott DEFAULT ROLE connect, resource;

conn scott/tiger

SELECT * FROM user_role_privs;

SELECT * FROM session_roles;

-- this time it will fail
SELECT * FROM uwclass.airplanes;

exec uwclass.db_security.enable_role;

-- this time it will succeed
SELECT * FROM uwclass.airplanes;
Identified Externally CREATE ROLE <role_name> IDENTIFIED EXTERNALLY;
CREATE ROLE dba IDENTIFIED EXERNALLY;
Identified Globally CREATE ROLE <role_name> IDENTIFIED GLOBALLY;
CREATE ROLE dba IDENTIFIED GLOBALLY;
 
Assign and Revoke Role Privileges
Assign Privilege To A Role GRANT <privilege_name> TO <role_name>;
GRANT create session TO read_only;
Create A Role Heirarchy GRANT <role_name> TO <role_name>;
CREATE ROLE ap_clerk;

GRANT read_only TO ap_clerk;
GRANT select ON general_ledger TO ap_clerk;
GRANT insert ON ap_master TO ap_clerk;
GRANT update ON ap_master TO ap_clerk;
GRANT insert ON ap_detail TO ap_clerk;
GRANT update ON ap_detail TO ap_clerk;
Add Another Layer To The Heirarchy GRANT <roles and privileges> TO <role_name>;
CREATE ROLE ap_manager IDENTIFIED BY appwd;

GRANT ap_clerk TO ap_manager;
GRANT delete ON ap_master TO ap_manager;
GRANT delete ON ap_detail TO ap_manager;
GRANT select any table TO ap_manager;
Revoke Privilege REVOKE <privilege_name> FROM <role_name>;
REVOKE select any table FROM ap_manager;
 
Assign and Revoke User Roles
Assigning Roles To Users GRANT <roles_name> TO <user_name>;
GRANT read_only TO jbiden CONTAINER=CURRENT;

GRANT ap_clerk TO jstough CONTAINER=CURRENT;
GRANT ap_clerk TO ckeizer CONTAINER=CURRENT;
GRANT ap_clerk TO rallen CONTAINER=CURRENT;

GRANT ap_manager TO escott CONTAINER=CURRENT;
Revoke a role from a user REVOKE <role_name> FROM <user_name>;
REVOKE ap_manager FROM escott;
Revoke A Role And Drop Any Invalidated Constraints REVOKE ALL ON <table_name> FROM <schema_name> CASCADE CONSTRAINTS;
REVOKE ALL ON invoices FROM abc CASCADE CONSTRAINTS;
 
Activating & Decactivating Roles
Activate A Session Role SET ROLE <role_name>;
SET ROLE ap_clerk;
Activating A Password Protected Role SET ROLE <role_name> IDENTIFIED BY <role_password>;
SET ROLE ap_manager IDENTIFIED BY appwd;
Activate All Available Roles SET ROLE all;
SET ROLE all;
Activating All Roles Except One SET ROLE all EXCEPT <role_name>;
SET ROLE all EXCEPT ap_manager;
Deactivating A Role Can not be done on an individual basis
Deactivate All Roles SET ROLE none;
SET ROLE none;
 
Drop Role
Drop A Role DROP ROLE <role_name>;
DROP ROLE manager_role;
 
PLUSTRACE Role
Creating And Assigning The PLUSTRACE Role For AUTOTRACE This role must be created by SYS in the PDB (not the CDB) and grants SELECT on the following v_$ views:
  • V_$SESSTAT
  • V_$STATNAME
  • V_$MYSTAT
conn sys@orabase as sysdba

SQL> SELECT sys_context('USERENV', 'CON_NAME') FROM dual;

SYS_CONTEXT('USERENV','CON_NAME')
--------------------------------------------------------
ORABASE

SQL> @c:\oracle\product\12.1.0\dbhome_1\sqlplus\admin\plustrce.sql

GRANT plustrace TO uwclass;
 
Role Related Queries
Roles are treated like users in the data dictionary -- users
SELECT name USER_NAMES, DECODE(spare1, 0, 'USER', 'SYSTEM') CREATED_BY, spare6 CREATE_DATE
FROM user$
WHERE type# = 1
ORDER BY 1;

-- roles
SELECT name ROLE_NAMES, DECODE(spare1, 0, 'USER', 'SYSTEM') CREATED_BY
FROM user$
WHERE type# = 0
ORDER BY 1;
Roles Granted to the Current User col granted_role format a30

SELECT granted_role, admin_option, default_role, os_granted, common
FROM user_role_privs
ORDER BY 2;
Privileges Granted to a Role col role format a30

SELECT *
FROM role_sys_privs
ORDER BY 1;
Grant SELECT On All Tables in a Schema to a Role CREATE OR REPLACE PROCEDURE GRANT_SELECT AUTHID CURRENT_USER IS
 CURSOR ut_cur IS
 SELECT table_name
 FROM user_tables;

 RetVal  NUMBER;
 sCursor INT;
 sqlstr  VARCHAR2(250);
BEGIN
  FOR ut_rec IN user_tabs_cur;
  LOOP
    sqlstr := 'GRANT SELECT ON ' || ut_rec.table_name || ' TO dm216q';
    sCursor := dbms_sql.open_cursor;
    dbms_sql.parse(sCursor,sqlstr, dbms_sql.native);

    RetVal := dbms_sql.execute(sCursor);
    dbms_sql.close_cursor(sCursor);
  END LOOP;
END grant_select;
Roles Granted To Schemas SELECT grantee, granted_role
FROM dba_role_privs
ORDER BY 1,2;
Tables And Columns That Can Be Modified by a User -- you will want to add a WHERE clause to this query to limit the rows returned for relevancy

SELECT *
FROM all_updatable_columns
ORDER BY 1;
 
Installation Roles
Roles Created by Database Installation

You may not find all of these roles in your database depending on edition and feature's chosen.
Role Name Description
ADM_PARALLEL_EXECUTE_TASK Provides privileges to update table data in parallel by using the DBMS_PARALLEL_EXECUTE PL/SQL package
APEX_ADMINISTRATOR_ROLE Grants EXECUTE on APEX_030200.WWV_FLOW_INSTANCE_ADMIN
APEX_GRANTS_FOR_NEW_USERS_ROLE Contains multiple SYS privs
AQ_ADMINISTRATOR_ROLE Privilege to administer Advanced Queuing 
AQ_USER_ROLE De-supported but maintained for backward compatibility to version 8.0
AUDIT_ADMIN Provides privileges to create unified and fine-grained audit policies, use the AUDIT and NOAUDIT SQL statements, view audit data, and manage the audit trail administration
AUDIT_VIEWER Provides privileges to view and analyze audit data
AUTHENTICATEDUSER Used by the XDB protocols to define any user who has logged in to the system
CAPTURE_ADMIN Provides the privileges necessary to create and manage privilege analysis policies
CDB_DBA Provides the privileges required for administering a CDB, such as SET CONTAINER, SELECT ON PDB_PLUG_IN_VIOLATIONS, and SELECT ON CDB_LOCAL_ADMIN_PRIVS. If your site requires additional privileges, then you can create a role (either common or local) to cover these privileges, and then grant this role to the CDB_DBA role
CONNECT Contains the CREATE SESSION and SET CONTAINER system privileges
CSW_USR_ROLE Provides user privileges to manage the Catalog Services for the Web (CSW) component of Oracle Spatial
CTXAPP Enables developers create Oracle Text indexes and index preferences, and to use PL/SQL packages
DATAPUMP_EXP_FULL_DATABASE Granted EXP_FULL_DATABASE role
DATAPUMP_IMP_FULL_DATABASE Granted EXP_FULL_DATABASE and IMP_FULL_DATABASE roles
DBA Example Database Administrator role. Should not be used. Granted 19 other roles in an act of pure insanity.
DBFS_ROLE Provides access to the DBFS (the Database Filesystem) packages and objects
DBHADOOP Created but, at least at install, has no associated roles or privileges
DELETE_CATALOG_ROLE Present but deprecated
DV_ACCTMGR Use the DV_ACCTMGR role to create and maintain database accounts and database profiles. In this manual, the example DV_ACCTMGR role is assigned to a user named amalcolm_dvacctmgr.
DV_ADMIN The DV_ADMIN role controls the Oracle Database Vault PL/SQL packages.
DV_AUDIT_CLEANUP Grant to any user who is responsible for purging the Database Vault auit trail in a non-unified auditing environment
DV_GOLDENGATE_ADMIN Intended for any user with responsibility for GoldenGate configuration by default it contains no privileges
DV_GOLDENGATE_REDO_ACCESS For any user who is responsible for using the Oracle GoldenGate TRANLOGOPTIONS DBLOGREADER method to access redo logs in an Oracle Database Vault environment
DV_MONITOR Enables the Oracle Enterprise Manager Grid Control agent to monitor Oracle Database Vault for attempted violations and configuration issues with realm or command rule definitions. This enables Grid Control to read and propagate realm definitions and command rule definitions between databases.
DV_OWNER The DV_OWNER role has the administrative capabilities that the DV_ADMIN role provides, and the reporting capabilities the DV_SECANALYST role provides.
DV_PATCH_ADMIN Temporarily grant the DV_PATCH_ADMIN role to any database administrator who is responsible for performing database patching or adding languages to Database Vault. After the patch operation or language addition is complete, you should immediately revoke this role. The role does not provide access to any secured data.
DV_PUBLIC Oracle Database Vault does not enable you to directly grant object privileges in the DVSYS schema to PUBLIC. You must grant the object privilege on the DVSYS schema object the DV_PUBLIC role, and then grant DV_PUBLIC to PUBLIC.
DV_REALM_OWNER Use the DV_REALM_OWNER role to manage database objects in multiple schemas that define a realm. Grant this role to the database account owner who is responsible for managing one or more schema database accounts within a realm and the roles associated with the realm.
DV_REALM_RESOURCE Use the DV_REALM_RESOURCE role for operations such as creating tables, views, triggers, synonyms, and other objects that a realm would typically use.
DV_SECANALYST DV_SECANALYST can query DVSYS schema objects through Oracle Database Vault-supplied views only.
DV_STREAMS_ADMIN Grant to a user who is responsible for configuring Streams replication in an Oracle Database Vault environment.
DV_XSTREAM_ADMIN Grant to a user who is responsible for configuring XStreams replication in an Oracle Database Vault environment.
EJBCLIENT Provides privileges to connect to EJBs from a Java stored procedure
EM_EXPRESS_ALL Enables users to connect to Oracle Enterprise Manager (EM) Express and use all the functionality provided by EM Express (read and write access to all EM Express features). The EM_EXPRESS_ALL role includes the EM_EXPRESS_BASIC role.
EM_EXPRESS_BASIC Enables users to connect to EM Express and to view the pages in read-only mode. The EM_EXPRESS_BASIC role includes the SELECT_CATALOG_ROLE role
EXECUTE_CATALOG_ROLE Allow users EXECUTE privileges for packages and procedures in the data dictionary. Granted HS_ADMIN_EXECUTE_ROLE role
EXP_FULL_DATABASE Provides the privileges required to perform full and incremental database export. Granted EXECUTE_CATALOG_ROLE and SELECT_CATALOG_ROLE roles.
GATHER_SYSTEM_STATISTICS To update the dictionary system statistics a user must have DBA privileges or the GATHER_SYSTEM_STATISTICS role.
GDS_CATALOG_SELECT Provides access to 10 objects owned by GSMADMIN_INTERNAL
GLOBAL_AQ_USER_ROLE Required to register through LDAP using JDBC connection parameters as this requires the ability to write access to the connection factory entries in the LDAP server (which requires the LDAP user to be either the database itself or be granted GLOBAL_AQ_USER_ROLE).
GSMADMIN_ROLE Granted AQ_ADMINISTRATOR_ROLE and CONNECT roles: Inlcudes EXECUTE on DBMS_GSM_UTILITY and related resources
GSMUSER_ROLE Granted CONNECT role: Includes EXECUTE on DBMS_GSM_DBADMIN
GSM_POOLADMIN_ROLE Granted CONNECT role: Inlcudes EXECUTE on DBMS_GSM_POOLADMIN
HS_ADMIN_EXECUTE_ROLE Provides the EXECUTE privilege for users who want to use the Heterogeneous Services (HS) PL/SQL packages
HS_ADMIN_ROLE Provides privileges for DBAs who need to use the DBA role using Oracle Database Heterogeneous Services to access appropriate tables in the data dictionary.

Used to protect access to the Heterogeneous Services (HS) data dictionary tables (grants SELECT) and packages (grants EXECUTE). It is granted to SELECT_CATALOG_ROLE and EXECUTE_CATALOG_ROLE such that users with generic data dictionary access also can access the HS data dictionary.
HS_ADMIN_SELECT_ROLE Provides privileges to query the Heterogeneous Services data dictionary views
IMP_FULL_DATABASE Provides the privileges required to perform full database imports. Includes an extensive list of system privileges (use view DBA_SYS_PRIVS to view privileges) and the following roles: EXECUTE_CATALOG_ROLE and SELECT_CATALOG_ROLE. This role is provided for convenience in using the export and import utilities.
JAVADEBUGPRIV Grants permissions to run the Java debugger
JAVAIDPRIV Deprecated
JAVASYSPRIV Grants permissions for Java administrators including updating JVM-protected packages. Granted the JAVAUSERPRIV role.
JAVAUSERPRIV Grants permissions for Java users such as examining properties
JAVA_ADMIN Java administration privileges including permission to modify PolicyTable.
JAVA_DEPLOY Undocumented
JMXSERVER Provides permissions to start and maintain a JMX agent in a session. The procedure dbms_java.start_jmx_agent starts the agent in a specific session that generally remains active for the duration of the session.
LBAC_DBA Provides permissions to use the SA_SYSDBA PL/SQL package
LOGSTDBY_ADMINISTRATOR A prototype role created by default with the RESOURCE role. It is advisable to not use this role but rather to craft your own specific to your needs. Read Oracle's comments, in red with respect to RESOURCE. They apply here too.
OEM_ADVISOR Provides privileges to create, drop, select (read), load (write), and delete a SQL tuning set through the DBMS_SQLTUNE PL/SQL package, and to access to the Advisor framework using the ADVISOR PL/SQL package
OEM_MONITOR Provides privileges needed by the Management Agent component of Oracle Enterprise Manager to monitor and manage a database
OLAP_DBA Provides privileges needed by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database
OLAP_USER Provides application developers privileges to create dimensional objects in their own schemas for Oracle OLAP
OLAP_XS_ADMIN Administer OLAP data security. Granted the XS_RESOURCE role
OPTIMIZER_PROCESSING_RATE Provides privileges to execute the GATHER_PROCESSING_RATE, SET_PROCESSING_RATE, and DELETE_PROCESSING_RATE procedures in the DBMS_STATS package. These procedures manage the processing rate of a system for automatic degree of parallelism (Auto DOP). Auto DOP uses these processing rates to determine the optimal degree of parallelism for a SQL statement.
ORDADMIN After installing Oracle Multimedia DICOM, the ORDADMIN role is created, with the database system privileges required for administration of the DICOM data model repository.

The ORDADMIN role must be assigned to the administrator of the DICOM data model repository.
OWB$CLIENT Provides privileges to perform standard client-related tasks for Oracle Warehouse Builder, such as creating projects, modules, tables, views, maps, and so on. Warehouse Builder automatically grants this role to all workspace owners and users. (That is, you do not need to explicitly grant it to anyone who must use Warehouse Builder.) For security reasons, the OWB$CLIENT role is not a default role for Warehouse Builder users: Oracle Warehouse Builder enables this role only when it is needed.
OWB_DESIGNCENTER_VIEW Provides privileges from the database level for any registered Oracle Warehouse Builder user to query the Warehouse Builder public views, such as ALL_IV_PROJECTS. A Warehouse Builder administrator can use the ACCESS_PUBLICVIEW_BROWSER system privilege from the Warehouse Builder security level to control an Warehouse Builder user's access to those public views.
OWB$CLIENT Provides privileges to perform standard client-related tasks for Oracle Warehouse Builder, such as creating projects, modules, tables, views, and maps.
OWB_DESIGNCENTER_VIEW Provides privileges from the database level for any registered Oracle Warehouse Builder user to query the Warehouse Builder public views, such as ALL_IV_PROJECTS.
OWB_USER Provides privileges to create and own an Oracle Warehouse Builder workspace. When a workspace owner registers other database users to this workspace, Oracle Database grants this role to these users. Users with this role also have access to Warehouse Builder Control Center public views and other Control Center utilities. Oracle Warehouse Builder grants this role to all Warehouse Builder users.
PDB_DBA Granted automatically to the local user that is created when you create a new pluggable database (PDB) from the seed PDB. No privileges are provided with this role.
PLUSTRACE Grants privlileges on V$ views required to use AUTOTRACE. Can be created in a PDB but not in the CDB.
PROVISIONER Provides privileges to register and update global callbacks for Oracle Database Real Application sessions and to provision principals
PUBLIC -
RECOVERY_CATALOG_OWNER Provides privileges for owner of the recovery catalog. Includes: CREATE SESSION, ALTER SESSION, CREATE SYNONYM, CREATE VIEW, CREATE DATABASE LINK, CREATE TABLE, CREATE CLUSTER, CREATE SEQUENCE, CREATE TRIGGER, and CREATE PROCEDURE
RESOURCE Provides the following system privileges: CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE. This role is provided for compatibility with previous releases of Oracle Database. You can determine the privileges encompassed by this role by querying the DBA_SYS_PRIVS data dictionary view. Note: Oracle recommends that you design your own roles for database security rather than relying on this role. This role may not be created automatically by future releases of Oracle Database.
SCHEDULER_ADMIN Allows the grantee to execute the procedures of the DBMS_SCHEDULER package. It includes all of the job scheduler system privileges and is included in the DBA role.
SELECT_CATALOG_ROLE Provides SELECT privilege on objects in the data dictionary. Granted the HS_ADMIN_SELECT_ROLE role.
SPATIAL_CSW_ADMIN Privileges granted the Catalog Services for the Web(CSW) account used by the Oracle Spatial CSW cache manager to load all record type metadata, and record instances from the database into the main memory for the record types that are cached.
SPATIAL_WFS_ADMIN Privileges granted the Web Feature Service (WFS) account used by the Oracle Spatial WFS cache manager to load all feature type metadata, and feature instances from the database into main memory for the feature types that are cached.
TKPROFER To grant SELECT on dynamic views for TKPROF, run utltkprf.sql in a PDB. TKPROF needs this to dereference wait events.
WFS_USR_ROLE Privileges granted a Web Feature Service (WFS) user
WM_ADMIN_ROLE Contains all Workspace Manager privileges with the grant option. By default, the database administrator (DBA role) is granted the WM_ADMIN_ROLE role.
XDBADMIN Allows the grantee to register an XML schema globally, as opposed to registering it for use or access only by its owner. It also lets the grantee bypass access control list (ACL) checks when accessing Oracle XML DB Repository.
XDB_SET_INVOKER Allows the grantee to define invoker's rights handlers and to create or update the resource configuration for XML repository triggers. By default, Oracle Database grants this role to the DBA role but not to the XDBADMIN role.
XDB_WEBSERVICES Allows the grantee to access Oracle Database Web services over HTTPS. However, it does not provide the user access to objects in the database that are public. To allow public access, you need to grant the user the XDB_WEBSERVICES_WITH_PUBLIC role. For a user to use these Web services, SYS must enable the Web service servlets.
XDB_WEBSERVICES_OVER_HTTP Allows the grantee to access Oracle Database Web services over HTTP. However, it does not provide the user access to objects in the database that are public. To allow public access, you need to grant the user the XDB_WEBSERVICES_WITH_PUBLIC role.
XDB_WEBSERVICES_WITH_PUBLIC Allows the grantee access to public objects through Oracle Database Web services.
XS_CACHE_ADMIN the mid-tier cache. It is required for caching the security policy at the mid-tier level for the checkAcl (authorization) method of the XSAccessController class. Grant this role to the application connection user or the Real Application Security dispatcher.
XS_NAMESPACE_ADMIN In Oracle Database Real Application Security, enables the grantee to manage and manipulate the namespace and attribute for a session. Grant this role to the Real Application Security session user.
XS_RESOURCE In Oracle Database Real Application Security, enables the grantee to manage objects in the attached schema, through the XS_ACL PL/SQL package. This package creates procedures to create and manage access control lists (ACLs). It contains the ADMIN SEC POLICY privilege. It is similar to the Oracle Database RESOURCE role.
XS_SESSION_ADMIN In Oracle Database Real Application Security, enables the grantee to manage the life cycle of a session, including the ability to create, attach, detach, and destroy the session. Grant this role to the application connection user or Real Application Security dispatcher.

Related Topics
Autotrace
Consumer Groups
DCL Statements
DDL Statements
Object Privileges
Profiles
Security
Startup Parameters
System Events
System Privileges
Users

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2014 Daniel A. Morgan All Rights Reserved