The DBMS `USER MANAGEMENT` privileges
AuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition

The DBMS privileges for user management can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 1. User management privileges command syntax
Command	Description
`GRANT [IMMUTABLE] CREATE USER ON DBMS TO role[, ...]`	Enables the specified roles to create new users.
`GRANT [IMMUTABLE] RENAME USER ON DBMS TO role[, ...]`	Enables the specified roles to change the name of users.
`GRANT [IMMUTABLE] ALTER USER ON DBMS TO role[, ...]`	Enables the specified roles to modify users.
`GRANT [IMMUTABLE] SET PASSWORD[S] ON DBMS TO role[, ...]`	Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login.
`GRANT [IMMUTABLE] SET AUTH ON DBMS TO role[, ...]`	Enables the specified roles to `SET` or `REMOVE` users' auth providers.
`GRANT [IMMUTABLE] SET USER HOME DATABASE ON DBMS TO role[, ...]`	Enables the specified roles to modify users' home database.
`GRANT [IMMUTABLE] SET USER STATUS ON DBMS TO role[, ...]`	Enables the specified roles to modify the account status of users.
`GRANT [IMMUTABLE] DROP USER ON DBMS TO role[, ...]`	Enables the specified roles to delete users.
`GRANT [IMMUTABLE] SHOW USER ON DBMS TO role[, ...]`	Enables the specified roles to list users.
`GRANT [IMMUTABLE] USER MANAGEMENT ON DBMS TO role[, ...]`	Enables the specified roles to create, delete, modify, and list users.

Grant privilege to create users

You can grant the privilege to add users using the CREATE USER privilege.
For example:

GRANT CREATE USER ON DBMS TO userAdder

As a result, the userAdder role has privileges that only allow adding users. To list all privileges for the role userAdder as commands, use the following query:

SHOW ROLE userAdder PRIVILEGES AS COMMANDS;

Table 2. Result
command
"GRANT CREATE USER ON DBMS TO `userAdder`"
Rows: 1

Grant privilege to rename users

You can grant the privilege to rename users using the RENAME USER privilege.
For example:

GRANT RENAME USER ON DBMS TO userNameModifier

As a result, the userNameModifier role has privileges that only allow renaming users. To list all privileges for the role userNameModifier as commands, use the following query:

SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS;

Table 3. Result
command
"GRANT RENAME USER ON DBMS TO `userNameModifier`"
Rows: 1

Grant privilege to modify users

You can grant the privilege to modify users using the ALTER USER privilege.
For example:

GRANT ALTER USER ON DBMS TO userModifier

As a result, the userModifier role has privileges that only allow modifying users. To list all privileges for the role userModifier as commands, use the following query:

SHOW ROLE userModifier PRIVILEGES AS COMMANDS;

Table 4. Result
command
"GRANT ALTER USER ON DBMS TO `userModifier`"
Rows: 1

The ALTER USER privilege allows the user to run the ALTER USER administration command with one or several of the SET PASSWORD, SET PASSWORD CHANGE [NOT] REQUIRED, SET AUTH, REMOVE AUTH, SET STATUS, SET HOME DATABASE, and REMOVE HOME DATABASE parts.
For example:

ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED

Note that the combination of the SET PASSWORDS, SET AUTH, SET USER STATUS, and SET USER HOME DATABASE privileges is equivalent to the ALTER USER privilege.

Grant privilege to modify users' passwords

You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the SET PASSWORDS privilege.
For example:

GRANT SET PASSWORDS ON DBMS TO passwordModifier

As a result, the passwordModifier role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. To list all privileges for the role passwordModifier as commands, use the following query:

SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS;

Table 5. Result
command
"GRANT SET PASSWORD ON DBMS TO `passwordModifier`"
Rows: 1

The SET PASSWORDS privilege allows the user to run the ALTER USER administration command with one or both of the SET PASSWORD and SET PASSWORD CHANGE [NOT] REQUIRED parts.

ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED

Grant privilege to modify users' auth information

You can grant the privilege to modify users' auth information using the SET AUTH privilege.
For example:

GRANT SET AUTH ON DBMS TO authModifier

As a result, the authModifier role has privileges that only allow modifying users' auth information.

The SET AUTH privilege allows the user to run the ALTER USER administration command with one or both of the SET AUTH and REMOVE AUTH parts.
For example:

ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' }

Grant privilege to modify the account status of users

You can grant the privilege to modify the account status of users using the SET USER STATUS privilege.
For example:

GRANT SET USER STATUS ON DBMS TO statusModifier

As a result, the statusModifier role has privileges that only allow modifying the account status of users. To list all privileges for the role statusModifier as commands, use the following query:

SHOW ROLE statusModifier PRIVILEGES AS COMMANDS;

Table 6. Result
command
"GRANT SET USER STATUS ON DBMS TO `statusModifier`"
Rows: 1

The SET USER STATUS privilege allows the user to run the ALTER USER administration command with only the SET STATUS part:

ALTER USER jake SET STATUS ACTIVE

Grant privilege to modify the home database of users

You can grant the privilege to modify the home database of users using the SET USER HOME DATABASE privilege.
For example:

GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier

As a result, the homeDbModifier role has privileges that only allow modifying the home database of users. To list all privileges for the role homeDbModifier as commands, use the following query:

SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS;

Table 7. Result
command
"GRANT SET USER HOME DATABASE ON DBMS TO `homeDbModifier`"
"GRANT SET USER STATUS ON DBMS TO `homeDbModifier`"
Rows: 2

The SET USER HOME DATABASE privilege allows the user to run the ALTER USER administration command with only the SET HOME DATABASE or REMOVE HOME DATABASE part:

ALTER USER jake SET HOME DATABASE otherDb

ALTER USER jake REMOVE HOME DATABASE

Grant privilege to delete users

You can grant the privilege to delete users using the DROP USER privilege.
For example:

GRANT DROP USER ON DBMS TO userDropper

As a result, the userDropper role has privileges that only allow deleting users. To list all privileges for the role userDropper as commands, use the following query:

SHOW ROLE userDropper PRIVILEGES AS COMMANDS;

Table 8. Result
command
"GRANT DROP USER ON DBMS TO `userDropper`"
Rows: 1

Grant privilege to show users

You can grant the privilege to show users using the SHOW USER privilege.
For example:

GRANT SHOW USER ON DBMS TO userViewer

As a result, the userViewer role has privileges that only allow showing users. To list all privileges for the role userViewer as commands, use the following query:

SHOW ROLE userViewer PRIVILEGES AS COMMANDS;

Table 9. Result
command
"GRANT SHOW USER ON DBMS TO `userViewer`"
Rows: 1

Grant privilege to manage users

You can grant the privilege to create, rename, modify, delete, and list users using the USER MANAGEMENT privilege.
For example:

GRANT USER MANAGEMENT ON DBMS TO userManager

As a result, the userManager role has all privileges to manage users. To list all privileges for the role userManager as commands, use the following query:

SHOW ROLE userManager PRIVILEGES AS COMMANDS;

Table 10. Result
command
"GRANT SHOW USER ON DBMS TO `userManager`"
Rows: 1

The DBMS USER MANAGEMENT privilegesAuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition