Roles are used to define privileges on database objects for multiple users. A user who is assigned a role can access all the objects on which the role and its nested roles have privileges. Users can only be assigned a role that has been granted to them.
You can grant a newly created role to a user or other role before the role has privileges on any database objects.
An unlimited number of roles can be granted to a role or user.
Roles cannot be granted on themselves, on PUBLIC, or on any of the following privileges:
- CREATE PROFILE
- CREATE ROLE
- CREATE USER
- CREATE ZONE
- CTCONTROL
- DROP PROFILE
- DROP ROLE
- DROP USER
- DROP ZONE
- ZONE OVERRIDE
Roles can only be nested one level deep. Thus, a role that has a nested role cannot also be a nested role. This is a deviation from the ANSI/ISO SQL:2011 standard, which allows multiple nesting levels.