You can specify EXTERNAL ROLE in the standard CREATE/DROP ROLE syntax to create external roles for directory users. The user that executes a CREATE/DROP EXTERNAL ROLE statement must have CREATE ROLE and DROP ROLE privileges. For example:
CREATE EXTERNAL ROLE ext_role_name;
or
DROP EXTERNAL ROLE ext_role_name;
If you drop a database role while including EXTERNAL in the syntax, or dropping an external role without including the EXTERNAL term, the system returns an error, for example:
DROP EXTERNAL ROLE dbrole; Failure 5933: Role being dropped is not an external role DROP ROLE extrole; Failure 5934: Role being dropped is an external role
The system records external roles in the data dictionary, along with database roles, but when you map an external role to a directory user, the system does not insert a row in DBC.RoleGrants.
The method for granting privileges to an external role is similar to granting privileges to a database role. See Creating Roles.
A user can occupy a maximum of 50 roles. If the maximum is exceeded, an error is reported.