Re: Creator of a role gets what rights?

On Tue, 24 Jun 2003 15:39:28 GMT, Brian Peasland <oracle_dba_at_remove_spam.peasland.com> wrote:

>But a role is neither a system or object privilege. It is a role.
>Whether you can grant that role is determined by whether or not you are
>the creator or have been given the GRANT ANY ROLE system privilege. And
>you can't grant a role with the ADMIN or GRANT option, so to speak.
>
>HTH,
>Brian
>

But why can't you grant a role to the next person if you got the role granted to you with the "with admin option". When this role is revoked at the top of the chain, there will not be cascading effects.

Thanks.

>Hans Forbrich wrote:
>>
>> Peter wrote:
>>
>> > Does the creator of a ROLE get
>> > "with admin option" privilege or the "with grant option" priviilege?
>>
>> Peter,
>>
>> When looking for explanations of syntax, I recommend you start in the
>> SQL Reference manual.
>>
>> In this case, the GRANT command is relevant. Details are available in
>> http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/server.920/a96540/statements_912a.htm#2062195
>>
>> According to that, should your user need to pass on the capability being
>> granted:
>> - IF this command is a SYSTEM privilege, then you use the WITH ADMIN
>> OPTION but
>> - IF this is an OBJECT privilege, then you use the WITH GRANT OPTION
>>
>> If you can not determine whether the capability is an object or a system
>> priivilege, then (according to the document) you can look at table 17-1
>> on the same section.
>>
>> To the observant, an easy way to determine whether this is a SYSTEM or
>> and OBJECT privilege is to look for the keyword "ON" followed by an
>> object identifier - if that exists it is because you are granting the
>> capability on an OBJECT to a user.
>>
>> [3 .... 4 .... 5]
>> /Hans
Received on Tue Jun 24 2003 - 13:08:22 CDT