It is possible to:

• Make a role nondefault: when the role is granted to a user, deselect the DEFAULT check box. The user must now explicitly enable the role before the role’s privileges can be exercised. This is done by issuing SET ROLE ; command
• Have a role require addtional authentication: they can be password, external or global
• Create secure application roles that can be enabled only by executing a PL_SQL procedure successfully: The PL/SQL procedure can check things such as the user’s network address, which program the user is running, time of day, or other elements needed to proerly secure a group of permissions. See http://www.dba-oracle.com/t_get_ip_address_utl_inaddr_sys_context.htm

There are some predefined roles such as:

• CONNECT
• RESOURCE
• SCHEDULER_ADMIN
• DBA
• SELECT_CATALOG_ROLE

Notes:

• CONNECT is granted automatically to any user created with Enterprise Manager
• In earlier versions of the database (before 10gR2), the CONNECT role included more privileges, such as CREATE TABLE and CREATE DATABASE LINK, which have been removed for security reasons.
• Granting the RESOURCE ROLE includes granting the UNLIMITED TABLESPACE privilege

Functional Roles

Other roles that authorize you to administer special functions are created when that functionality is installed. For example:

• XDBADMIN: contains the privileges required to administer XML database if that feature is installed.
• AQ_ADMINISTRATOR_ROLE: privileges to administer advanced queuing
• HS_ADMIN_ROLE: includes the privileges needed to administer heterogeneous services.