mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-18 05:32:52 +00:00
49 lines
2.1 KiB
Markdown
49 lines
2.1 KiB
Markdown
---
|
||
slug: /en/sql-reference/statements/create/role
|
||
sidebar_position: 40
|
||
sidebar_label: ROLE
|
||
title: "CREATE ROLE"
|
||
---
|
||
|
||
Creates new [roles](../../../guides/sre/user-management/index.md#role-management). Role is a set of [privileges](../../../sql-reference/statements/grant.md#grant-privileges). A [user](../../../sql-reference/statements/create/user.md) assigned a role gets all the privileges of this role.
|
||
|
||
Syntax:
|
||
|
||
``` sql
|
||
CREATE ROLE [IF NOT EXISTS | OR REPLACE] name1 [ON CLUSTER cluster_name1] [, name2 [ON CLUSTER cluster_name2] ...]
|
||
[IN access_storage_type]
|
||
[SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] | PROFILE 'profile_name'] [,...]
|
||
```
|
||
|
||
## Managing Roles
|
||
|
||
A user can be assigned multiple roles. Users can apply their assigned roles in arbitrary combinations by the [SET ROLE](../../../sql-reference/statements/set-role.md) statement. The final scope of privileges is a combined set of all the privileges of all the applied roles. If a user has privileges granted directly to it’s user account, they are also combined with the privileges granted by roles.
|
||
|
||
User can have default roles which apply at user login. To set default roles, use the [SET DEFAULT ROLE](../../../sql-reference/statements/set-role.md#set-default-role-statement) statement or the [ALTER USER](../../../sql-reference/statements/alter/user.md#alter-user-statement) statement.
|
||
|
||
To revoke a role, use the [REVOKE](../../../sql-reference/statements/revoke.md) statement.
|
||
|
||
To delete role, use the [DROP ROLE](../../../sql-reference/statements/drop.md#drop-role-statement) statement. The deleted role is being automatically revoked from all the users and roles to which it was assigned.
|
||
|
||
## Examples
|
||
|
||
``` sql
|
||
CREATE ROLE accountant;
|
||
GRANT SELECT ON db.* TO accountant;
|
||
```
|
||
|
||
This sequence of queries creates the role `accountant` that has the privilege of reading data from the `db` database.
|
||
|
||
Assigning the role to the user `mira`:
|
||
|
||
``` sql
|
||
GRANT accountant TO mira;
|
||
```
|
||
|
||
After the role is assigned, the user can apply it and execute the allowed queries. For example:
|
||
|
||
``` sql
|
||
SET ROLE accountant;
|
||
SELECT * FROM db.*;
|
||
```
|