Granting individual privileges to individual users can incur a substantial amount of overhead, especially for enterprise systems with large numbers of users. Roles are designed to simplify the management of privileges.

Privileges can be granted to roles and then users assigned to roles. Privilege maintenance is performed on roles and affects users with those roles. In addition, roles can be selectively enabled and disabled for users, depending on context. In this way, you can use roles to combine together sets of privileges that will be granted as a whole. For instance, you could have an ADMIN role that would give the appropriate permissions to an administrator.

A role can be granted to another role. If you give a user the parent role, by default that user will also be granted all of the roles granted to that parent role.

A user can be granted multiple roles. The number of roles that can be enabled at one time is limited by the initialization parameter MAX_ENABLED_ROLES. Multiple roles allow a single user to assume different sets of privileges at different times. If a role has other roles granted to it, using the parent role will have the effect of using all the child roles.

You can set one or more default roles using the ALTER USER statement. Default roles take effect when a user logs in to the Oracle database.