Show TOC

GRANT CHANGE PASSWORD StatementLocate this document in the navigation structure

Allows users to manage passwords for other users and administer the CHANGE PASSWORD system privilege.

Quick Links:

Go to Parameters

Go to Examples

Go to Usage

Go to Standards

Go to Permissions

Syntax
GRANT CHANGE PASSWORD ( <target_user_list> | ANY | ANY WITH ROLES< target_role_list>  )
   TO <userID [,...]> 
   [ WITH ADMIN [ONLY] OPTION | WITH NO ADMIN OPTION]
Parameters

(back to top)

  • target_user_list users the grantee has the potential to impersonate. The list must consist of existing users or user-extended roles with login passwords. Separate the userIDs in the list with commas.
  • ANY all database users with login passwords become potential target users to manage passwords for each grantee.
  • ANY WITH ROLES <target_role_list> list of target roles for each grantee. Any users who are granted any of the target roles become potential target users for each grantee. The <target_role_list> must consist of existing roles and the users who are granted said roles must consist of database users with login passwords. Use commas to separate multiple userIDs.
  • userID must be the name of an existing user or role that has a login password. Separate multiple userIDs with commas.
  • WITH ADMIN OPTION (valid with the ANY clause only) The user can both manage passwords and grant the CHANGE PASSWORD system privilege to another user.
  • WITH ADMIN ONLY OPTION (valid with the ANY clause only) The user can grant the CHANGE PASSWORD system privilege to another user, but cannot manage passwords of other users.
  • WITH NO ADMIN OPTION the user can manage passwords, but cannot grant the CHANGE PASSWORD system privilege to another user.
Examples

(back to top)

  • Example 1 grants Sally and Laurel the ability to mange the password of Bob, Sam, and Peter:
    GRANT CHANGE PASSWORD (Bob, Sam, Peter) TO (Sally, Laurel)
  • Example 2 grants Mary the right to grant the CHANGE PASSWORD system privilege to any user in the database. However, since the system privilege is granted with the WITH ADMIN ONLY OPTION clause, Mary cannot manage the password of any other user.
    GRANT CHANGE PASSWORD (ANY) TO Mary WITH ADMIN ONLY OPTION
  • Example 3 grants Steve and Joe the ability to manage the password of any member of Role1 or Role2:
    GRANT CHANGE PASSWORD (ANY WITH ROLES Role1, Role2) TO Steve, Joe
Usage

(back to top)

A user can be granted the ability to mange the password of any user in the database (ANY) or only specific users (<target_users_list>) or members of specific roles (ANY WITH ROLES <target_roles_list>). Administrative rights to the CHANGE PASSWORD system privilege can only be granted when using the ANY clause.

If no clause is specified, ANY is used by default. If no administrative clause is specified in the grant statement, the WITH NO ADMIN OPTION clause is used.

By default, the CHANGE PASSWORD system privilege is granted to the SYS_AUTH_SA_ROLE compatibility role with the WITH NO ADMIN OPTION clause and to the SYS_AUTH_SSO_ROLE compatibility role with the ADMIN ONLY OPTION clause, if they exist.

Standards

(back to top)

ANSI SQL–Compliance level: Transact-SQL extension.

Permissions

(back to top)

  • The CHANGE PASSWORD system privilege granted with administrative rights.
  • Each target user specified (target_users_list) is an existing user or user-extended role with a login password.
  • Each target role specified (target_roles_list) must be an existing user-extended or user-defined role.
Related Information