You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/en/sql-reference/10-sql-commands/00-ddl/02-user/04-user-create-role.md
+67-13Lines changed: 67 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,26 +6,80 @@ import FunctionDescription from '@site/src/components/FunctionDescription';
6
6
7
7
<FunctionDescriptiondescription="Introduced or updated: v1.2.703"/>
8
8
9
-
Creates a new role.
10
-
11
-
After creating roles, you can grant object privileges to the role, enable access control security for objects in the system.
12
-
13
-
See also: [GRANT](10-grant.md)
9
+
Creates a new role for access control. Roles are used to group privileges and can be assigned to users or other roles, providing a flexible way to manage permissions in Databend.
14
10
15
11
## Syntax
16
12
17
13
```sql
18
-
CREATE ROLE [ IF NOTEXISTS] <name> [ COMMENT ='<string_literal>' ]
14
+
CREATE ROLE [ IF NOTEXISTS] <name>
19
15
```
20
16
21
-
- The `<name>` cannot contain the following illegal characters:
22
-
- Single quote (')
23
-
- Double quote (")
24
-
- Backspace (\b)
25
-
- Form feed (\f)
17
+
**Parameters:**
18
+
19
+
-`IF NOT EXISTS`: Create the role only if it doesn't exist (recommended to avoid errors)
20
+
-`<name>`: Role name (cannot contain single quotes, double quotes, backspace, or form feed characters)
26
21
27
22
## Examples
28
23
29
24
```sql
30
-
CREATE ROLE role1;
31
-
```
25
+
-- Create a basic role
26
+
CREATE ROLE analyst;
27
+
28
+
-- Create role only if it doesn't exist (recommended)
29
+
CREATE ROLE IF NOT EXISTS data_viewer;
30
+
```
31
+
32
+
## Common Usage Patterns
33
+
34
+
### Read-Only Analyst Role
35
+
36
+
Create a role for data analysts who need read access to sales data:
37
+
38
+
```sql
39
+
-- Create the analyst role
40
+
CREATE ROLE sales_analyst;
41
+
42
+
-- Grant read permissions
43
+
GRANTSELECTON sales_db.* TO ROLE sales_analyst;
44
+
45
+
-- Assign to users
46
+
GRANT ROLE sales_analyst TO 'alice';
47
+
GRANT ROLE sales_analyst TO 'bob';
48
+
```
49
+
50
+
### Database Administrator Role
51
+
52
+
Create a role for administrators who need full control:
53
+
54
+
```sql
55
+
-- Create the admin role
56
+
CREATE ROLE sales_admin;
57
+
58
+
-- Grant full permissions on the database
59
+
GRANT ALL ON sales_db.* TO ROLE sales_admin;
60
+
61
+
-- Grant user management permissions
62
+
GRANT CREATE USER, CREATE ROLE ON*.* TO ROLE sales_admin;
63
+
64
+
-- Assign to admin users
65
+
GRANT ROLE sales_admin TO 'admin_user';
66
+
```
67
+
68
+
### Verification
69
+
70
+
```sql
71
+
-- Check what each role can do
72
+
SHOW GRANTS FOR ROLE sales_analyst;
73
+
SHOW GRANTS FOR ROLE sales_admin;
74
+
75
+
-- Check user permissions
76
+
SHOW GRANTS FOR 'alice';
77
+
SHOW GRANTS FOR 'admin_user';
78
+
```
79
+
80
+
81
+
## See Also
82
+
83
+
-[GRANT](10-grant.md) - Grant privileges and roles
0 commit comments