Skip to Main Content

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Victor.

Asked: March 16, 2009 - 11:14 am UTC

Last updated: March 17, 2009 - 11:06 am UTC

Version: 10.2.0.4

Viewed 10K+ times! This question is

You Asked

Tom,

Thanks for maintaining such a good website!!!

Once in awhile we get the following Oracle message when attempting to login to Oracle.

ORA-28031: maximum of 148 enabled roles exceeded
(was surprised no one asked you about this yet)

This error prevents the user from logging into the db environment. (SYS still has access)

As a result I look through the list of roles we have and I drop the ones that are not being used anymore. Is there a better way of managing the roles?

Wouldn't this query give me a list of unassigned roles?
select drp.granted_role, drp.grantee, dr.role, dr.password_required
from dba_roles dr left outer join dba_role_privs drp
on dr.role = drp.granted_role
where granted_role is null
order by role;


This DB environment is a development environment so there are lots of schemas/roles. And schemas/roles are dropped and created on a daily basis.

Thanks,
Victor

and Tom said...

The error used to be ora-1925 in years gone by

http://asktom.oracle.com/pls/ask/search?p_string=ora-01925


show parameter max_enabled_roles


adjust that init.ora setting higher...

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Marcus Mönnig, March 17, 2009 - 10:35 am UTC

Hi Tom,

148 already is the maximum value for this parameter. (I have to admit that I don't understand why this limit exists at all.)

Marcus
Tom Kyte
March 17, 2009 - 11:04 am UTC

then you shall have to make some of them non-default and enable them as necessary.


and actually in answer to:

... As a result I look through the list of roles we have and I drop the ones that are not being used anymore. Is there a better way of managing the roles? ....

I cannot think of anything better than having a test environment that accurately reflects real life - so yes, cleaning up would be mandatory - even if you didn't hit this limit.

Marcus Mönnig, March 17, 2009 - 10:44 am UTC

Following up to my own post, here's a link to the docs:

http://download.oracle.com/docs/cd/B28359_01/server.111/b28320/initparams130.htm#REFRN10104

Another thing I do not understand is why the parameter is
said to be deprecated in the docs when it actually still
triggers an error on login. Can we set it to zero to remove
the limit?

Marcus

Tom Kyte
March 17, 2009 - 11:06 am UTC

It is deprecated because they are currently maxing it out (just like maxtrans is deprecated - but still "exists", it is 255 no matter what you set it to)
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.