2020-07-14 21:02:41 +00:00
---
toc_priority: 45
toc_title: USER
---
# ALTER USER {#alter-user-statement}
Changes ClickHouse user accounts.
Syntax:
``` sql
2021-07-29 15:20:55 +00:00
ALTER USER [IF EXISTS] name1 [ON CLUSTER cluster_name1] [RENAME TO new_name1]
2021-01-23 13:14:01 +00:00
[, name2 [ON CLUSTER cluster_name2] [RENAME TO new_name2] ...]
2021-03-11 20:41:10 +00:00
[NOT IDENTIFIED | IDENTIFIED {[WITH {no_password | plaintext_password | sha256_password | sha256_hash | double_sha1_password | double_sha1_hash}] BY {'password' | 'hash'}} | {WITH ldap SERVER 'server_name'} | {WITH kerberos [REALM 'realm']}]
[[ADD | DROP] HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
2020-07-14 21:02:41 +00:00
[DEFAULT ROLE role [,...] | ALL | ALL EXCEPT role [,...] ]
2021-05-13 20:05:11 +00:00
[GRANTEES {user | role | ANY | NONE} [,...] [EXCEPT {user | role} [,...]]]
2021-03-11 20:41:10 +00:00
[SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY | WRITABLE] | PROFILE 'profile_name'] [,...]
2020-07-14 21:02:41 +00:00
```
To use `ALTER USER` you must have the [ALTER USER ](../../../sql-reference/statements/grant.md#grant-access-management ) privilege.
2021-05-09 15:48:56 +00:00
## GRANTEES Clause {#grantees}
2021-05-07 20:49:15 +00:00
2021-05-13 21:46:57 +00:00
Specifies users or roles which are allowed to receive [privileges ](../../../sql-reference/statements/grant.md#grant-privileges ) from this user on the condition this user has also all required access granted with [GRANT OPTION ](../../../sql-reference/statements/grant.md#grant-privigele-syntax ). Options of the `GRANTEES` clause:
2021-05-07 20:49:15 +00:00
2021-05-13 20:05:11 +00:00
- `user` — Specifies a user this user can grant privileges to.
- `role` — Specifies a role this user can grant privileges to.
- `ANY` — This user can grant privileges to anyone. It's the default setting.
- `NONE` — This user can grant privileges to none.
2021-05-07 20:49:15 +00:00
2021-05-13 21:46:57 +00:00
You can exclude any user or role by using the `EXCEPT` expression. For example, `ALTER USER user1 GRANTEES ANY EXCEPT user2` . It means if `user1` has some privileges granted with `GRANT OPTION` it will be able to grant those privileges to anyone except `user2` .
2021-05-07 20:49:15 +00:00
2020-07-14 21:02:41 +00:00
## Examples {#alter-user-examples}
Set assigned roles as default:
``` sql
ALTER USER user DEFAULT ROLE role1, role2
```
If roles aren’ t previously assigned to a user, ClickHouse throws an exception.
Set all the assigned roles to default:
``` sql
ALTER USER user DEFAULT ROLE ALL
```
If a role is assigned to a user in the future, it will become default automatically.
Set all the assigned roles to default, excepting `role1` and `role2` :
``` sql
ALTER USER user DEFAULT ROLE ALL EXCEPT role1, role2
```
2021-05-07 20:49:15 +00:00
2021-05-09 15:50:03 +00:00
Allows the user with `john` account to grant his privileges to the user with `jack` account:
2021-05-07 20:49:15 +00:00
``` sql
ALTER USER john GRANTEES jack;
```