maximum of 30 enabled roles exceeded

Posted on 2004-09-29
Medium Priority
Last Modified: 2012-08-13

I am working in a "security" project, and I have prepared 60 roles (3 per schema, SELECT, OPER and ADMIN)
As you can notice this database have 20+ schemas, each one with its own processes.
Later I may need to create more roles (not per schema but per department) as HR, FINANCE, etc.

The problem is that as soon as I ran the script that created the roles (even without assigning the privileges) the databases do not allowed me to login as SYSTEM indicating: "ORA-01925: maximum of 30 enabled roles exceeded"

Now, why this happened if I havent even assigned the roles to users?

Any help will be gratly appreciated.

Question by:fadeshadow
LVL 23

Expert Comment

ID: 12185726
try to log in as sysdba, and do a database shutdown immediate

and modify init<SID>.ora file

add this line;


and restart the database

Expert Comment

ID: 12186343
Just as more to seazodiac's post:

To find how large the MAX_ENABLED_ROLES parameter in init.ora to make it, execute the following SQL statements:
---> in 9i :
     SQL> SELECT grantee, count(*)
          FROM  (SELECT grantee, granted_role
                 FROM dba_role_privs
                 CONNECT BY PRIOR grantee = granted_role)
          GROUP BY grantee
          HAVING count(*) = (SELECT max(count(*))
                             FROM (SELECT grantee, granted_role
                                   FROM dba_role_privs
                                   CONNECT BY PRIOR grantee=granted_role)
                                   GROUP BY grantee);
---> in 8i: as CONNECT BY is not usable with GROUP BY, create a temporary
            table that selects the rows from the dictionary view before:
     SQL> drop table tempo_roles;  
     SQL> create table tempo_roles
          as select grantee, granted_role
          from dba_role_privs;
     SQL> select grantee,count(*)
          from (SELECT grantee, granted_role
                FROM tempo_roles
                CONNECT BY PRIOR grantee = granted_role)
          where grantee in (select username from dba_users)
          group by grantee
          having count(*) = (select max(count(*))
                             from (SELECT grantee, granted_role
                             FROM tempo_roles
                             CONNECT BY PRIOR grantee = granted_role)
                             group by grantee);
to get the highest current number of roles assigned to a user.

Author Comment

ID: 12189591
Thanks to all for your comments, but none of you really response to my question, I will post ONLY the question again to see if I make me understand better:

"As soon as I created 60 roles the databases do not allowed me to login as SYSTEM indicating: "ORA-01925: maximum of 30 enabled roles exceeded""
"Now, why this happened if I havent even assigned the roles to users?"

I really appreciate your comments and I know what the parameter MAX_ENABLED_ROLES means, I also know that it is a static parameter that will require to restart the database, but why I received this message just creating the new roles?

I was thinking that maybe SYSTEM auto self grants any new role, or somethink like that.

BTW baonguyen, I ran the script and returned that System has 53 roles, it is that possible when the max_enabled_roles is 30?

regards again.



Accepted Solution

BobMc earned 1000 total points
ID: 12192096
You are correct, when you create a role, it is automatically granted to the creator with admin privs - otherwise you wouldnt be able to grant it on to any users!


Expert Comment

ID: 12194460
As a general database setup, I always set the parameter MAX_ENABLED_ROLES to 125 in the init.ora file.  It seems to be enough.  And of course System is granted access to roles it creates because it has the GRANT ANY ROLE system privilege because of the DBA role it has.


Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Working with Network Access Control Lists in Oracle 11g (part 1) Part 2: http://www.e-e.com/A_9074.html So, you upgraded to a shiny new 11g database and all of a sudden every program that used UTL_MAIL, UTL_SMTP, UTL_TCP, UTL_HTTP or any oth…
I remember the day when someone asked me to create a user for an application developement. The user should be able to create views and materialized views and, so, I used the following syntax: (CODE) This way, I guessed, I would ensure that use…
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question