You can specify EXTERNAL ROLE in the standard CREATE/DROP ROLE syntax to create external roles for directory users. The user that executes a CREATE/DROP EXTERNAL ROLE statement must have CREATE ROLE and DROP ROLE privileges. For example:
CREATE EXTERNAL ROLE ext_role_name;
DROP EXTERNAL ROLE ext_role_name;
DROP EXTERNAL ROLE dbrole; Failure 5933: Role being dropped is not an external role DROP ROLE extrole; Failure 5934: Role being dropped is an external role
The system records external roles in the data dictionary, along with database roles, but when you map an external role to a directory user, the system does not insert a row in DBC.RoleGrants.
The method for granting privileges to an external role is similar to granting privileges to a database role. See Creating Roles.