You can specify EXTERNAL ROLE in the standard CREATE and DROP ROLE syntax to create or drop external roles for directory users. The user that runs a CREATE EXTERNAL ROLE or DROP EXTERNAL ROLE statement must have CREATE ROLE and DROP ROLE privileges. For example:
CREATE EXTERNAL ROLE ext_role_name;
or
DROP EXTERNAL ROLE ext_role_name;
If you drop a database role while including EXTERNAL in the syntax, or dropping an external role without including the EXTERNAL term, the system returns an error, for example:
DROP EXTERNAL ROLE dbrole;
Result:
Failure 5933: Role being dropped is not an external role
DROP ROLE extrole;
Result:
Failure 5934: Role being dropped is an external role
A user can occupy a maximum of 50 roles. If the maximum is exceeded, an error is reported.
The system records external roles in the data dictionary, along with database roles, but when you map an external role to a directory user, the system does not insert a row in DBC.RoleGrants.
The method for granting privileges to an external role is similar to granting privileges to a database role. See Creating Roles.