Not very clear before the role of encryption role, today looked at some data found that the cryptographic role can be granted to a user with a non-default role, and is enabled only when needed. Some of the more sensitive permissions in the ordinary work of the basic use, in order to prevent misoperation can be completely granted these permissions to a single role, only when necessary to enable. There is the same user group users can have some permissions on the split, do not know the password to encrypt the role of the person cannot enable this permission.
The following experiment:
First, create two roles R_cs and R_select, and grant the appropriate permissions:
sys@orcl>create role R_cs;
Role created.
Sys@orcl>grant create session to R_cs;
Grant succeeded.
Sys@orcl>create role R_select identified by R_select;
Role created.
Sys@orcl>grant Select on Dba_objects to R_select;
Grant succeeded.
Create user test, grant it to R_cs and R_select, and set R_cs to default role (there can be more than one):
Sys@orcl>create user test identified by test;
User created.
Sys@orcl>grant r_cs,r_select to test;
Grant succeeded.
Sys@orcl>alter user test default role R_cs;
User altered.
This time we query the dba_objects data through the test user connection:
Sys@orcl>conn Test/test
Connected.
Est@orcl>select Count (*) from dba_objects;
Select COUNT (*) from dba_objects
*
ERROR at line 1:
Ora-00942:table or view does not exist
You will find that you cannot query, we enable the R_select role and then query:
Test@orcl>set role R_select identified by R_select;
Role set.
Test@orcl>select Count (*) from dba_objects;
COUNT (*)
----------
50327
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/database/Oracle/