Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

maximum of 30 enabled roles exceeded

Posted on 2004-09-29
5
Medium Priority
?
3,145 Views
Last Modified: 2012-08-13
Hi,

I am working in a "security" project, and I have prepared 60 roles (3 per schema, SELECT, OPER and ADMIN)
As you can notice this database have 20+ schemas, each one with its own processes.
Later I may need to create more roles (not per schema but per department) as HR, FINANCE, etc.

The problem is that as soon as I ran the script that created the roles (even without assigning the privileges) the databases do not allowed me to login as SYSTEM indicating: "ORA-01925: maximum of 30 enabled roles exceeded"

Now, why this happened if I havent even assigned the roles to users?

Any help will be gratly appreciated.

Carlos
0
Comment
Question by:fadeshadow
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 23

Expert Comment

by:seazodiac
ID: 12185726
try to log in as sysdba, and do a database shutdown immediate


and modify init<SID>.ora file

add this line;

MAX_ENABLED_ROLES = 60

and restart the database
0
 
LVL 8

Expert Comment

by:baonguyen1
ID: 12186343
Just as more to seazodiac's post:

To find how large the MAX_ENABLED_ROLES parameter in init.ora to make it, execute the following SQL statements:
 
---> in 9i :
 
     SQL> SELECT grantee, count(*)
          FROM  (SELECT grantee, granted_role
                 FROM dba_role_privs
                 CONNECT BY PRIOR grantee = granted_role)
          GROUP BY grantee
          HAVING count(*) = (SELECT max(count(*))
                             FROM (SELECT grantee, granted_role
                                   FROM dba_role_privs
                                   CONNECT BY PRIOR grantee=granted_role)
                                   GROUP BY grantee);
 
---> in 8i: as CONNECT BY is not usable with GROUP BY, create a temporary
            table that selects the rows from the dictionary view before:
 
     SQL> drop table tempo_roles;  
     SQL> create table tempo_roles
          as select grantee, granted_role
          from dba_role_privs;
     SQL> select grantee,count(*)
          from (SELECT grantee, granted_role
                FROM tempo_roles
                CONNECT BY PRIOR grantee = granted_role)
          where grantee in (select username from dba_users)
          group by grantee
          having count(*) = (select max(count(*))
                             from (SELECT grantee, granted_role
                             FROM tempo_roles
                             CONNECT BY PRIOR grantee = granted_role)
                             group by grantee);
 
to get the highest current number of roles assigned to a user.
 
0
 
LVL 1

Author Comment

by:fadeshadow
ID: 12189591
Thanks to all for your comments, but none of you really response to my question, I will post ONLY the question again to see if I make me understand better:

"As soon as I created 60 roles the databases do not allowed me to login as SYSTEM indicating: "ORA-01925: maximum of 30 enabled roles exceeded""
"Now, why this happened if I havent even assigned the roles to users?"

I really appreciate your comments and I know what the parameter MAX_ENABLED_ROLES means, I also know that it is a static parameter that will require to restart the database, but why I received this message just creating the new roles?

I was thinking that maybe SYSTEM auto self grants any new role, or somethink like that.

BTW baonguyen, I ran the script and returned that System has 53 roles, it is that possible when the max_enabled_roles is 30?

regards again.

Carlos

0
 
LVL 7

Accepted Solution

by:
BobMc earned 1000 total points
ID: 12192096
You are correct, when you create a role, it is automatically granted to the creator with admin privs - otherwise you wouldnt be able to grant it on to any users!


HTH
Bob
0
 

Expert Comment

by:TheGoToGuy
ID: 12194460
As a general database setup, I always set the parameter MAX_ENABLED_ROLES to 125 in the init.ora file.  It seems to be enough.  And of course System is granted access to roles it creates because it has the GRANT ANY ROLE system privilege because of the DBA role it has.

RWB
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I remember the day when someone asked me to create a user for an application developement. The user should be able to create views and materialized views and, so, I used the following syntax: (CODE) This way, I guessed, I would ensure that useā€¦
Shell script to create broker configuration file using current broker Configuration, solely for purpose of backup on Linux. Script may need to be modified depending on OS-installation. Please deploy and verify the script in a test environment.
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question