grant或者revoke role时发现用户还是可以访问某些表,但是select any table 权限的添加和删除立即生效。
这就是role 和sys permisson的差异
select * from role_role permission
Applies To
All Users
Oracle Database - Enterprise Edition - Version 11.2.0.3 to Version 11.2.0.3
Oracle Database - Enterprise Edition - Version 8.1.7.4 to Version 11.1.0.7
Oracle Net Services - Version 19.1.0.0.0 to Version 19.1.0.0.0
Summary
- The alert.log is full with the following errors:
...
Tue Dec 30 18:15:42 2008
Errors in file d:\app\administrator\diag\rdbms\prod\prod\trace\prod_j000_3444.trc:
ORA-12012: error on auto execute of job 4002
ORA-28031: maximum of 148 enabled roles exceeded
Tue Dec 30 18:15:47 2008
Thread 1 cannot allocate new log, sequence 64
Checkpoint not complete
Current log# 3 seq# 63 mem# 0: D:\APP\ADMINISTRATOR\ORADATA\PROD\REDO03.LOG
Thread 1 advanced to log sequence 64 (LGWR switch)
Tue Dec 30 18:17:43 2008
Errors in file d:\app\administrator\diag\rdbms\prod\prod\trace\prod_j001_744.trc:
ORA-12012: error on auto execute of job 4005
ORA-28031: maximum of 148 enabled roles exceeded
...
Because of the ORA-28031 error no job is running. The user owning the job is able to connect to the database and furthermore has no errors while running the code executed via the job.
- An user gets the following error while connecting to the database:
SQL> conn testrole2
ERROR:
ORA-28031: maximum of 148 enabled roles exceeded
- While creating a queue table the following error occurs:
EXECUTE DBMS_AQADM.CREATE_QUEUE_TABLE (queue_table =>'QTEST', queue_payload_type => 'TTEST', multiple_consumers=> TRUE,compatible=>'10.2');
*
ERROR at line 1:
ORA-24166: evaluation context <schema>.AQ$_QTEST_V has errors
ORA-01925: maximum of 30 enabled roles exceeded
ORA-06512: at "SYS.DBMS_AQADM_SYS", line 2220
ORA-06512: at "SYS.DBMS_AQADM", line 58
ORA-06512: at line 1
Solution
- If this error does not occur while working with queues then check how many roles are going to be enabled in the user's session. Check all the default roles including those granted recursively:
SQL> select lpad(' ',2*level,' ')||granted_role
from dba_role_privs
where default_role='YES'
start with grantee='TESTROLE2' and default_role='YES'
connect by prior granted_role=grantee;
LPAD('',2*LEVEL,'')||GRANTED_ROLE
MYROLE
TROLE1
TROLE10
...
TROLE95
TROLE96
TROLE97
TROLE98
TROLE99
149 rows selected.
The list of distinct roles can be obtained with this query:
select distinct granted_role
from dba_role_privs
where default_role='YES'
start with grantee='<username>' and default_role='YES'
connect by prior granted_role=grantee
/
If there are indeed too many default roles being granted to that user then do the following:
A) Drop the roles that are not needed or merge some of the roles to reduce their total number.
B) Make sure that user has less than MAX_ENABLED_ROLES default roles(i.e. alter the user and specify a list of default roles)
C) Try to create all the custom roles while being connected with an user created for this purpose rather than creating them as SYS:
connect / as sysdba;
create user roleadmin identified by <password>;
grant create session, create role to roleadmin;
connect roleadmin;
... create roles...
connect / as sysdba;
alter user roleadmin default role none;
With this approach you avoid having too many roles granted automatically to SYS.
- When the error is encountered while working with queues one must take into account Bug 5523578 which is fixed in 10.2.0.5. Because of this bug, while working with the queue tables, the database counts the roles even if they are not default roles. In these situations the only solution is to count the roles granted to the user(even when they are not default roles) and if they are more than 148 to revoke some of them:
SQL> select lpad(' ',2*level,' ')||granted_role
from dba_role_privs
start with grantee='TESTROLE2'
connect by prior granted_role=grantee;
-- Note that the condition that checks whether the role is default has been removed
LPAD('',2*LEVEL,'')||GRANTED_ROLE
MYROLE
TROLE1
TROLE10
...
TROLE95
TROLE96
TROLE97
TROLE98
TROLE99
TROLE100
150 rows selected.
Cause
Error ORA-28031 occurs whenever one is attempting to enable more than 150 roles in the same session. A session is always enabling by default two roles(PUBLIC and the implicit role associated with the connected user). Besides these two roles, in the session, can be enabled up to 148 other roles. When a session is initializing, all default roles granted to the connecting user will be enabled. If the user is granted more than 148 default roles then the user will not be able to connect because of the ORA-28031 error. This does not apply for SYS normal connections. However when a user creates a job via DBMS_JOB or DBMS_SCHEDULER which runs as SYS the session created to execute the job will have all roles limits enabled.
It is important to note that we have to count the roles granted via a hierarchy(recursively) and not only the roles granted directly.
Usually an user is not granted (explicitly) so many default roles, however they can end up with so many roles because :
- There were many roles created by this user. Whenever a role gets created it is automatically granted to the user creating it :
SQL> conn / as sysdba
Connected.
SQL> create user testrole identified by ****;
User created.
SQL> grant create session, create role to ****;
Grant succeeded.
SQL> conn testrole
Connected.
SQL> select * from user_role_privs;
no rows selected
SQL> create role myrole1;
Role created.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_ROLE
TESTROLE MYROLE1 YES YES NO
The following example will show that an user gets this error although it is granted directly one role only:
SQL> create user testrole identified by *****;
User created.
SQL> create user testrole2 identified by ******;
User created.
SQL> grant create session, create role to testrole, testrole2;
Grant succeeded.
SQL> grant select on dba_role_privs to testrole;
Role granted.
SQL> conn testrole
Connected.
SQL> create role myrole;
Role created
begin
for rec in 1..148 loop
execute immediate 'create role trole'||rec;
execute immediate 'grant trole'||rec||' to myrole';
end loop;
end;
/
PL/SQL procedure successfully completed.
SQL> show user
USER is "TESTROLE"
SQL> grant myrole to testrole2;
Grant succeeded.
SQL> select count(*) from dba_role_privs where grantee='TESTROLE2';
COUNT(*)
1
SQL> conn testrole2
ERROR:
ORA-28031: maximum of 148 enabled roles exceeded
-
Recently a full import was performed and all the roles from the source database are created on the target database by the same user. This is rather a consequence of the first cause presented above when roles are granted to the user who is creating them. However it is worth mentioning it separately since the roles were not explicitly created by the same user in the source database. Due to the way import tools are working the roles get created by the same user on the target DB.
-
Recently an upgrade was performed. Before the upgrade the number of roles granted to a certain user was under 148 but in the new version new roles get created and eventually get granted to older roles. This way the total number of roles granted directly or recursively can exceed the limit.
References
MOS document id: 780749.1
Product Versions
product: Oracle Database - Enterprise Edition - min_version: 11.2.0.3 - max_version: 11.2.0.3; product: Oracle Database - Enterprise Edition - min_version: 8.1.7.4 - max_version: 11.1.0.7; product: Oracle Net Services - min_version: 19.1.0.0.0 - max_version: 19.1.0.0.0; Information in this article applies to GENERIC (All Platforms)