Default Roles
Default roles allow you to automatically assign user role mappings when any user is newly created or imported through User Federation or Identity Brokering. To specify default roles go to the Roles left menu item, and click the Default Roles tab.
Default Roles
As you can see from the screenshot, there are already a number of default roles set up by default.
Use role default-role enable to enable the default user role feature for remote AAA users.
Use undo role default-role enable to restore the default.
Syntax
role default-role enable [ role-name ]
undo role default-role enable
Default
The default user role feature is disabled. AAA users who do not have a user role cannot log in to the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
role-name: Specifies a user role by its name for the default user role. The user role must already exist. The argument is a case-sensitive string of 1 to 63 characters. If you do not specify a user role, the following default user role settings apply:
For login to the default MDC, the default user role is network-operator.
For login to a non-default MDC, the default user role is mdc-operator.
Usage guidelines
The default user role feature assigns the default user role to AAA-authenticated users if the authentication server does not assign any user roles to the users. These users are allowed to access the system with the default user role.
If AAA users have been assigned user roles, they log in with the user roles.
Examples
# Enable the default user role feature.
system-view [Sysname] role default-role enableRelated commands
role
Oracle Tips by Burleson |
Users can have one or more roles granted to them, passing several types of privileges in the process. However, not all the roles are enabled when a user creates a session. Only the roles defined as default are enabled. For instance, NATHAN has been granted both the roles as follows
grant junior_claim_analyst,
senior_claim_analyst to nathan;
Selecting this from the dictionary we see:
Select
*
from
dba_role_privs;
The output comes back as:
GRANTEE GRANTED_ROLE ADM DEF
-------------- -------------------------- --- ---
NATHAN JUNIOR_CLAIM_ANALYST
NO YES
NATHAN SENIOR_CLAIM_ANALYST NO YES
Note how the default role shows YES for both the roles. This is because NATHAN has not been granted any specific default role, so all roles granted to him are default, by default [no pun intended!].
Next, we specify the default role for NATHAN as JUNIOR_CLAIM_ANALYST as follows.
alter user nathan default role junior_claim_analyst;
select
*
from
dba_role_privs;
The output comes back as:
GRANTEE GRANTED_ROLE ADM DEF
-------------- -------------------------- --- ---
NATHAN
JUNIOR_CLAIM_ANALYST NO YES
NATHAN SENIOR_CLAIM_ANALYST NO NO
Note how the role SENIOR_CLAIM_ANALYST is no longer default for NATHAN.
When Nathan needs to do some work that requires the privileges of the SENIOR_CLAIM_ANALYST role, he can issue a statement
SET ROLE SENIOR_CLAIM_ANALYST;
This leads to a rather complicated affair where the roles are granted but not enabled. To verify which roles have been enabled in a session, the view session_roles may be queried. In the following example query, NATHAN can see which roles are enabled when he is connected:
select *
from session_roles;
This shows the current role that is enabled:
ROLE
------------------------------
JUNIOR_CLAIM_ANALYST
Nathan's currently enabled role is JUNIOR_CLAIM_ANALYST. When he enables another role and selects from the same view:
SET ROLE
SENIOR_CLAIM_ANALYST, JUNIOR_CLAIM_ANALYST;
SELECT *
FROM SESSION_ROLES;
The result comes back as:
ROLE
------------------------------
SENIOR_CLAIM_ANALYST
JUNIOR_CLAIM_ANALYST
See that the role SENIOR_CLAIM_ANALYST is now enabled.
In addition to using the SET ROLE command, the Oracle-supplied utility SET_ROLE in the package dbms_session can also be used. Here is how it is used:
dbms_session.set_role [�SENIOR_CLAIM_ANALYST'];
This is especially useful in situations where the roles have to be set inside a procedure, or be called by a client program other than SQL*Plus.
Important: Unless a default role is explicitly defined for a user, all roles granted to the user are default and enabled.Therefore, have one default role for the user and explicitly enable the other roles by SET ROLE in the application.