Solved

maximum of 30 enabled roles exceeded

Posted on 2004-09-29
5
3,139 Views
Last Modified: 2012-08-13
Hi,

I am working in a "security" project, and I have prepared 60 roles (3 per schema, SELECT, OPER and ADMIN)
As you can notice this database have 20+ schemas, each one with its own processes.
Later I may need to create more roles (not per schema but per department) as HR, FINANCE, etc.

The problem is that as soon as I ran the script that created the roles (even without assigning the privileges) the databases do not allowed me to login as SYSTEM indicating: "ORA-01925: maximum of 30 enabled roles exceeded"

Now, why this happened if I havent even assigned the roles to users?

Any help will be gratly appreciated.

Carlos
0
Comment
Question by:fadeshadow
5 Comments
 
LVL 23

Expert Comment

by:seazodiac
ID: 12185726
try to log in as sysdba, and do a database shutdown immediate


and modify init<SID>.ora file

add this line;

MAX_ENABLED_ROLES = 60

and restart the database
0
 
LVL 8

Expert Comment

by:baonguyen1
ID: 12186343
Just as more to seazodiac's post:

To find how large the MAX_ENABLED_ROLES parameter in init.ora to make it, execute the following SQL statements:
 
---> in 9i :
 
     SQL> SELECT grantee, count(*)
          FROM  (SELECT grantee, granted_role
                 FROM dba_role_privs
                 CONNECT BY PRIOR grantee = granted_role)
          GROUP BY grantee
          HAVING count(*) = (SELECT max(count(*))
                             FROM (SELECT grantee, granted_role
                                   FROM dba_role_privs
                                   CONNECT BY PRIOR grantee=granted_role)
                                   GROUP BY grantee);
 
---> in 8i: as CONNECT BY is not usable with GROUP BY, create a temporary
            table that selects the rows from the dictionary view before:
 
     SQL> drop table tempo_roles;  
     SQL> create table tempo_roles
          as select grantee, granted_role
          from dba_role_privs;
     SQL> select grantee,count(*)
          from (SELECT grantee, granted_role
                FROM tempo_roles
                CONNECT BY PRIOR grantee = granted_role)
          where grantee in (select username from dba_users)
          group by grantee
          having count(*) = (select max(count(*))
                             from (SELECT grantee, granted_role
                             FROM tempo_roles
                             CONNECT BY PRIOR grantee = granted_role)
                             group by grantee);
 
to get the highest current number of roles assigned to a user.
 
0
 
LVL 1

Author Comment

by:fadeshadow
ID: 12189591
Thanks to all for your comments, but none of you really response to my question, I will post ONLY the question again to see if I make me understand better:

"As soon as I created 60 roles the databases do not allowed me to login as SYSTEM indicating: "ORA-01925: maximum of 30 enabled roles exceeded""
"Now, why this happened if I havent even assigned the roles to users?"

I really appreciate your comments and I know what the parameter MAX_ENABLED_ROLES means, I also know that it is a static parameter that will require to restart the database, but why I received this message just creating the new roles?

I was thinking that maybe SYSTEM auto self grants any new role, or somethink like that.

BTW baonguyen, I ran the script and returned that System has 53 roles, it is that possible when the max_enabled_roles is 30?

regards again.

Carlos

0
 
LVL 7

Accepted Solution

by:
BobMc earned 250 total points
ID: 12192096
You are correct, when you create a role, it is automatically granted to the creator with admin privs - otherwise you wouldnt be able to grant it on to any users!


HTH
Bob
0
 

Expert Comment

by:TheGoToGuy
ID: 12194460
As a general database setup, I always set the parameter MAX_ENABLED_ROLES to 125 in the init.ora file.  It seems to be enough.  And of course System is granted access to roles it creates because it has the GRANT ANY ROLE system privilege because of the DBA role it has.

RWB
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
execute immediate plsql block 5 46
su - oracle could not open session 6 77
Oracle 10g standard edition server with 4 processors 3 54
constraint check 2 40
Working with Network Access Control Lists in Oracle 11g (part 2) Part 1: http://www.e-e.com/A_8429.html Previously, I introduced the basics of network ACL's including how to create, delete and modify entries to allow and deny access.  For many…
How to Create User-Defined Aggregates in Oracle Before we begin creating these things, what are user-defined aggregates?  They are a feature introduced in Oracle 9i that allows a developer to create his or her own functions like "SUM", "AVG", and…
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question