The CREATE ROLE statement defines a
role.Syntax
<create_role_statement> ::= CREATE ROLE <role_name> [IDENTIFIED BY <password>]
role_name, passwordExplanation
A role combines a set of
privileges that can be assigned to users, usergroups, or other roles by specifying the role name in the GRANT statement. The role is empty initially after the CREATE ROLE statement has been executed. Privileges must be assigned to the role using the GRANT statement.The existence and the properties of the role are recorded in the catalog in the form of metadata. The current user is the owner of the role.
The current user must be a DBA.
The role name must not be the same as the name of an existing role, user, or usergroup.
Roles can be assigned to a user or usergroup by executing the
ALTER USER statement or ALTER USERGROUP statement. These roles are then activated when a session is opened. Alternatively, roles can be activated within a session by means of the SET statement. If a role is activated in a session, the current user of the session has all the privileges assigned to the role.Note that roles are not active while
data definition commands are being executed.If a password is defined for the role, users who are assigned the role can only activate it by specifying the password in the SET statement.