Could it possibly be to prevent rogue developer from assinging roles in some PL/SQL code they wrote to bypass some of the other builtin security. Say they write a PL/SQL routine to access the finacial tables and make a copy of them in another schema. They don't have the proper permission available through their permissions, so they write one and set the role to one that does. They then give it a clever name and toss it out there in some common spot where everybody stores code snippets and wait for somebody with the proper permissions to run it, then they get all the data they wanted (or whatever else they wanted to do). Another case may be to help alleviate some potential problems between dev code and production code. It may be fine and dandy for somebody to have access to the ALL_FINANCIALS role on development, but you probably don't want to have that accidentally slip over into production. Forcing a full, conscious decision on the DBA of the database instead of relying on the honesty and integrity of every single developer (or those with developer rights) is probably not the safest assumption to make. Just a couple things off the top of my head. I'm dead tired and maybe not thinking clearly either though.... -- -- Bill Ferguson -- //www.freelists.org/webpage/oracle-l