Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 17 » SQL Anywhere Server - Database Administration » User and database security » User security (roles and privileges) » Privileges

System privileges

There are many system privileges that can be granted.

You can view the roles and privileges a user has from SQL Central by clicking them and viewing the details that are displayed. You can also retrieve the details by using the sp_displayroles system procedure.

Note By default, all system privileges are inherited by a user who has the SYS_RUN_REPLICATION_ROLE system role. This configuration is required because the SYS_AUTH_DBA_ROLE compatibility role is granted to SYS_RUN_REPLICATION_ROLE. You can revoke the SYS_AUTH_DBA_ROLE compatibility role from SYS_RUN_REPLICATION_ROLE to prevent this, and then grant only the privileges your replication requires to the SYS_RUN_REPLICATION_ROLE system role. However, a user granted the SYS_RUN_REPLICATION_ROLE system role can only exercise the privileges of this role on remote connections.
List of system privileges
System privilege according to object or functionality Description Users/roles can inherit from:
Databases    
ALTER DATABASE

Allows a user to:

  • Upgrade a database.

  • Perform cost model calibration.

  • Load database statistics.

  • Alter transaction logs (also requires the SERVER OPERATOR system privilege).

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
BACKUP DATABASE Allows a user to back up a database.
  • DIAGNOSTICS
  • SYS_AUTH_BACKUP_ROLE
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_PROFILE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
CHECKPOINT Allows a user to force the database server to execute a checkpoint.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
DROP CONNECTION Allows a user to drop any connections to the database.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE PROFILING Allows a user to manage database server tracing.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_PROFILE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
MONITOR Allows a user to monitor a database, including accessing privileged statistics, connected users, and locks.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
Database options    
SET ANY PUBLIC OPTION Allows a user to set PUBLIC database options that do not require the SET ANY SECURITY OPTION or the SET ANY SYSTEM OPTION system privileges.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
SET ANY SECURITY OPTION Allows a user to set any PUBLIC security database options.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
SET ANY SYSTEM OPTION Allows a user to set PUBLIC system database options.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
SET ANY USER DEFINED OPTION Allows a user to set user-defined database options.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
Data types    
ALTER DATATYPE Allows a user to alter data types.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE DATATYPE Allows a user to create data types.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP DATATYPE Allows a user to drop data types.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Dbspaces    
MANAGE ANY DBSPACE

Allows a user to:

  • Create, alter, drop, and comment on dbspaces.

  • Grant and revoke CREATE privileges on dbspaces.

  • Move data to any dbspace.

  • Run the database delete file function.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
Debugging    
DEBUG ANY PROCEDURE Allows a user to debug procedures, functions, triggers, and events.
  • SA_DEBUG
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Events    
MANAGE ANY EVENT Allows a user to create, alter, drop, trigger, and comment on events.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
External environments    
CREATE EXTERNAL REFERENCE

Allows a user to create external references in the database.

You must have the system privileges required to create specific database objects before you can create external references.

For example, creating a self-owned text configuration object that uses an external term breaker and/or prefilter requires both the CREATE TEXT CONFIGURATION and CREATE EXTERNAL REFERENCE system privileges.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
MANAGE ANY EXTERNAL ENVIRONMENT

Allows a user to alter, comment on, start, and stop external environments.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE ANY EXTERNAL OBJECT Allows a user to install, comment on, and remove external environment objects.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Files, directories, and disk drives    
ACCESS DISK INFORMATION Allows a user to access information regarding the total disk size and the remaining disk space by using the sp_disk_info system procedure.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
READ CLIENT FILE Allows a user to read files on the client computer.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_READCLIENTFILE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
READ FILE Allows a user to read files on the database server computer.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_READFILE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
WRITE CLIENT FILE Allows a user to write files to the client computer.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_AUTH_WRITECLIENTFILE_ROLE
  • SYS_RUN_REPLICATION_ROLE
WRITE FILE Allows a user to write files on the database server computer.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_AUTH_WRITEFILE_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
Indexes    
ALTER ANY INDEX Allows a user to alter and comment on indexes and text indexes on tables and views owned by any user.
  • DIAGNOSTICS
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_PROFILE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY INDEX Allows a user to create and comment on indexes and text indexes on tables and views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY INDEX Allows a user to drop indexes and text indexes on tables and views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
LDAP    
MANAGE ANY LDAP SERVER Allows a user to create, alter, drop, validate, and comment on LDAP servers.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
OData    
MANAGE ODATA Allows a user to create, alter, and drop OData producer objects.
  • SYS_RUN_REPLICATION_ROLE
  • SYS_AUTH_SA_ROLE
VERIFY ODATA Allows a user to be referenced in the AUTHENTICATION USER or ADMIN USER clause of the CREATE ODATA PRODUCER and ALTER ODATA PRODUCER statements. If a user without this privilege is referenced, then the OData producer returns an error.
  • SYS_RUN_REPLICATION_ROLE
  • SYS_AUTH_SSO_ROLE
Materialized views    
ALTER ANY MATERIALIZED VIEW Allows a user to alter and comment on materialized views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY MATERIALIZED VIEW Allows a user to create and comment on materialized views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE MATERIALIZED VIEW Allows a user to create and comment on self-owned materialized views.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY MATERIALIZED VIEW Allows a user to drop materialized views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Messages    
CREATE MESSAGE Allows a user to create messages.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP MESSAGE Allows a user to drop messages.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Miscellaneous    
ALTER ANY OBJECT

Allows a user to alter and comment on the following types of objects owned by any user:

  • Data types

  • Events

  • Functions

  • Indexes

  • Materialized views

  • Messages

  • Procedures

  • Sequence generators

  • Spatial reference systems

  • Spatial units of measure

  • Statistics

  • Tables

  • Text configuration objects

  • Text indexes

  • Triggers

  • Views

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
ALTER ANY OBJECT OWNER Allows a user to alter the owner of any type of object.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
COMMENT ANY OBJECT Allows a user to comment on any type of object that can be created using the CREATE ANY OBJECT system privilege.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY OBJECT

Allows a user to create and comment on the following types of objects owned by any user:

  • Data types

  • Events

  • Functions

  • Indexes

  • Materialized views

  • Messages

  • Procedures

  • Sequence generators

  • Spatial reference systems

  • Spatial units of measure

  • Statistics

  • Tables

  • Text configuration objects

  • Text indexes

  • Triggers

  • Views

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY OBJECT

Allows a user to drop the following types of objects owned by any user:

  • Data types

  • Events

  • Functions

  • Indexes

  • Materialized views

  • Messages

  • Procedures

  • Sequence generators

  • Spatial reference systems

  • Spatial units of measure

  • Statistics

  • Tables

  • Text configuration objects

  • Text indexes

  • Triggers

  • Views

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE ANY OBJECT PRIVILEGE

Allows a user to:

  • Grant and revoke SELECT, INSERT, DELETE, UPDATE, ALTER, REFERENCES, LOAD, and TRUNCATE privileges on tables owned by any user.

  • Grant and revoke SELECT, INSERT, DELETE, and UPDATE privileges on views owned by any user.

  • Grant and revoke EXECUTE privileges on procedures and functions owned by any user.

  • Grant and revoke USAGE privileges on sequence generators owned by any user.

  • Grant and revoke CREATE privileges on dbspaces.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
MANAGE CACHED PLANS Allows a user to access statistics related to cached plans on any connection.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE CERTIFICATES Allows a user to create, alter, drop, and comment on certificates.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE TIME ZONE Allows a user to create, alter, and drop simulated time zones.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
REORGANIZE ANY OBJECT Allows a user to reorganize tables and materialized views.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
VALIDATE ANY OBJECT Allows a user to validate tables, materialized views, indexes, and text indexes.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_AUTH_VALIDATE_ROLE
  • SYS_RUN_REPLICATION_ROLE
Mirror servers    
MANAGE ANY MIRROR SERVER

Allows a user to:

  • Create, alter, drop, and comment on mirror servers.

  • Change mirror server parameters.

  • Set mirror server options.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Mutexes and semaphores  
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
CREATE ANY MUTEX SEMAPHORE

Allows a user to create a mutex or semaphore owned by any user.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
UPDATE ANY MUTEX SEMAPHORE

Allows a user to update a mutex or semaphore owned by any user.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
DROP ANY MUTEX SEMAPHORE

Allows a user to drop a mutex or semaphore owned by any user.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
Procedures    
ALTER ANY PROCEDURE Allows a user to alter and comment on procedures and functions owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
CREATE ANY PROCEDURE Allows a user to create and comment on procedures and functions owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
CREATE PROCEDURE Allows a user to create self-owned procedures and functions.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY PROCEDURE Allows a user to drop procedures and functions owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
EXECUTE ANY PROCEDURE Allows a user to execute procedures and functions owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Auditing    
MANAGE AUDITING Allows a user to run the following auditing-related system procedures:
  • sa_audit_string
  • sp_trace_events (with the include_audit_events bit set)
  • sp_trace_event_fields (with the include_audit_events bit set)
  • sp_trace_event_session_events (with the include_audit_events bit set)
  • sp_trace_event_session_targets (with the include_audit_events bit set)
  • sp_trace_event_session_target_options (with the include_audit_events bit set)
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
Email    
SEND EMAIL

Allows a user to run the following mail-related system procedures:

  • xp_get_mail_error_code
  • xp_get_mail_error_text
  • xp_startmail
  • xp_stopmail
  • xp_startsmtp
  • xp_stopsmtp
  • xp_sendmail
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Replication    
MANAGE REPLICATION

Allows a user to:

  • Create, alter, drop, and comment on publications.

  • Create, alter, and drop MobiLink users.

  • Create, alter, drop, start, stop, and synchronize SQL Remote and synchronization subscriptions.

  • Create, alter, drop, and comment on synchronization profiles.

  • Create, alter, drop, and comment on SQL Remote message types.

  • Set remote options.

  • Start and stop schema synchronization.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
Roles    
MANAGE ROLES

Allows a user to create new roles and act as a global administrator for new and existing roles. By default, MANAGE ROLES is granted administrative rights on each newly created role.

Administration of a role can also be granted directly to users either during or after the creation of the role. When granted directly to a user, the user does not require the MANAGE ROLES system privilege to administer the role.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
UPGRADE ROLE

Allows a user to be a default administrator of any system privilege that is introduced when upgrading a SQL Anywhere database from version 16.0.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Sequences    
ALTER ANY SEQUENCE Allows a user to alter sequence generators owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY SEQUENCE Allows a user to create sequence generators, regardless of owner.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY SEQUENCE Allows a user to drop sequence generators owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
USE ANY SEQUENCE Allows a user to use sequence generators owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Server operators    
MANAGE ANY PROPERTY HISTORY Allows a user to turn on and configure the tracking of database server property values.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE LISTENERS Allows a user to start and stop network listeners.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
SERVER OPERATOR

Allows a user to:

  • Create, restore, drop, start, and stop databases, change ownership of a database, and restore the catalog (only).

  • Create, alter, and drop remote servers and directory access servers.

  • Manage a server cache.

  • Start and stop database servers.

  • Create encrypted and decrypted databases and files.

  • Change a database transaction log.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
Spatial objects    
MANAGE ANY SPATIAL OBJECT

Allows a user to create, alter, drop, and comment on spatial reference systems and spatial unit of measures.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SPATIAL_ADMIN_ROLE
Statistics    
MANAGE ANY STATISTICS Allows a user to create, alter, drop, and update database statistics for any table.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Tables    
ALTER ANY TABLE

Allows a user to:

  • Alter and comment on tables (including proxy tables) owned by any user.

  • Comment on columns in tables (including proxy tables) owned by any user.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY TABLE

Allows a user to:

  • Create and comment on tables (including proxy tables) owned by any user.

  • Comment on columns in tables (including proxy tables) owned by any user.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
  • SYS_RUN_PROFILER_ROLE
CREATE PROXY TABLE

Allows a user to create self-owned proxy tables.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE TABLE

Allows a user to create self-owned tables.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DELETE ANY TABLE Allows a user to delete rows in tables and views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
DROP ANY TABLE Allows a user to drop tables (including proxy tables) owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
INSERT ANY TABLE Allows a user to insert rows into tables and views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
LOAD ANY TABLE Allows a user to load data into tables owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
SELECT ANY TABLE Allows a user to query tables and views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
TRUNCATE ANY TABLE Allows a user to truncate data for tables and materialized views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
UPDATE ANY TABLE Allows a user to update rows in tables and views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
Text configuration objects    
ALTER ANY TEXT CONFIGURATION Allows a user to alter and comment on text configuration objects owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY TEXT CONFIGURATION Allows a user to create and comment on text configuration objects owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE TEXT CONFIGURATION Allows a user to create self-owned text configuration objects.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY TEXT CONFIGURATION Allows a user to drop text configuration objects owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Tracing    
MANAGE ANY TRACE SESSION Allows a user to perform all event tracing-related operations, with the exception of triggering a user trace event.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
NOTIFY TRACE EVENT Allows a user to trigger a user trace event.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_RUN_PROFILER_ROLE
Triggers    
ALTER ANY TRIGGER Allows a user to alter and comment on triggers on tables and views.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY TRIGGER Allows a user to create and comment on triggers on tables and views.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Users and login management    
ACCESS USER PASSWORD

Allows a user to access views that contain password hashes, and perform operations that involve accessing passwords, such as unloading, extracting, or comparing databases.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
CHANGE PASSWORD

Allows a user to manage user passwords for any user.

This system privilege can apply to all users, or it can be limited to a set of specified users, or users who are granted one or more specified roles.

This system privilege is not required to change a user's own password.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE ANY LOGIN POLICY Allows a user to create, alter, drop, and comment on login policies.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
MANAGE ANY USER

Allows a user to:

  • Create, alter, drop, and comment on database users (including assigning an initial password).

  • Force a password change on next login for any user.

  • Assign and reset the login policy for any user.

  • Create, drop, and comment on integrated logins and Kerberos logins.

  • Create and drop external logins.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_REPLICATION_ADMIN_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_SAMONITOR_ADMIN_ROLE
SET USER

Allows a user to temporarily assume the roles and privileges of another user.

This system privilege can apply to all users, or can be limited to a set of specified users, or users who are granted one or more specified roles.

  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_AUTH_SSO_ROLE
  • SYS_RUN_REPLICATION_ROLE
Variables    
CREATE DATABASE VARIABLE Allows a user to create, select from, update, and drop self-owned database-scope variables.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
MANAGE ANY DATABASE VARIABLE Allows a user to create and drop database-scope variables owned by self or by PUBLIC.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
SELECT PUBLIC DATABASE VARIABLE Allows a user to select the value of a database-scope variable owned by PUBLIC.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
UPDATE PUBLIC DATABASE VARIABLE Allows a user to update database-scope variables owned by PUBLIC.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Views    
ALTER ANY VIEW Allows a user to alter and comment on views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE ANY VIEW Allows a user to create and comment on views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
CREATE VIEW Allows a user to create self-owned views.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_RESOURCE_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
DROP ANY VIEW Allows a user to drop views owned by any user.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
Web services    
MANAGE ANY WEB SERVICE Allows a user to create, alter, drop, and comment on web services.
  • SYS_AUTH_DBA_ROLE
  • SYS_AUTH_SA_ROLE
  • SYS_RUN_REPLICATION_ROLE
  • SYS_REPLICATION_ADMIN_ROLE