Entering content frame

Background documentation The Role Concept Locate the document in its SAP Library structure

The SAP DB database system supports different roles. A role is a grouping of privileges, which can be assigned to database users, user groups, or other roles.

Procedure

...

       1.      A role is created using the CREATE ROLE statement. This role is initially empty. Only database users belonging to database user class DBA are able to create roles . The new role name cannot be the same as the name of any other role, a user, or a user group.

       2.      Privileges are assigned to a role using the GRANT statement. Privileges can be revoked from a role using the REVOKE statement.

       3.      A role can be assigned to database users, user groups, or other roles using the GRANT statement and specification of the role name.

       4.      You use the ALTER_USER- and ALTER_USERGROUP-statement to define which of the roles that were assigned to a user or user group is to be used when a database session is opened.

       5.      During a database session, you can use the SET statement to activate other roles assigned to the user or user group
If a role is activated during a session, the current user then has all the privileges that are assigned to a role.

If a password has been assigned to a role, users assigned to that role can only activate it by entering the password in the SET statement.

Result

That a role is available and the properties of that role are all registered in the catalog in the form of metadata. A user that creates a role becomes its owner.

The roles assigned to the user or user group as a result of the ALTER USER and ALTER-USERGROUP statements are activated as soon as a database session is opened.

Caution

Roles are not active during execution of data definition commands.

See also:

Reference Manual: SAP DB 7.4, Section Role Name

 

Leaving content frame