The current user of a trusted connection can acquire additional privileges through the automatic inheritance of a role through the trusted context, if this was specified by the security administrator as part of the relevant trusted context definition.
A role can be inherited by all users of the trusted connection by default. The security administrator can also use the trusted context definition to specify a role for specific users to inherit.
When the user on a trusted connection is switched to a new authorization ID and a trusted context user-specific role exists for this new authorization ID, the user-specific role overrides the trusted context default role, if one exists, as demonstrated in the example.
CREATE TRUSTED CONTEXT CTX1
BASED UPON CONNECTION USING SYSTEM AUTHID USER1
ATTRIBUTES (ADDRESS '192.0.2.1')
WITH USE FOR USER2 WITH AUTHENTICATION,
USER3 WITHOUT AUTHENTICATION
DEFAULT ROLE AUDITOR
ENABLE
When USER1 establishes a trusted connection,
the privileges granted to the role AUDITOR are inherited by this authorization
ID. Similarly, these same privileges are also inherited by USER3 when
the current authorization ID on the trusted connection is switched
to his or her user ID. (If the user ID of the connection is switched
to USER2 at some point, then USER2 would also inherit the trusted
context default role, AUDITOR.) The security administrator may choose
to have USER3 inherit a different role than the trusted context default
role. They can do so by assigning a specific role to this user as
follows: CREATE TRUSTED CONTEXT CTX1
BASED UPON CONNECTION USING SYSTEM AUTHID USER1
ATTRIBUTES (ADDRESS '192.0.2.1')
WITH USE FOR USER2 WITH AUTHENTICATION,
USER3 WITHOUT AUTHENTICATION ROLE OTHER_ROLE
DEFAULT ROLE AUDITOR
ENABLE
When the current user ID on the trusted connection
is switched to USER3, this user no longer inherits the trusted context
default role. Rather, they inherit the specific role, OTHER_ROLE,
assigned to him or her by the security administrator.