Create a role
To start the role creation process, determine the name
of the role and the connections and privileges that you want to grant
to users who hold that role. Although the connections and privileges
are strictly in your domain, you must consider some factors when you
declare the name of a new role. For the name of a user-defined role,
do not use any of the following SQL keywords, access privileges, or
built-in roles:
- ALTER
- C
- CONNECT
- DBA
- DBSECADM
- DEFAULT
- DELETE
- EXECUTE
- EXTEND
- INDEX
- INSERT
- NONE
- NULL
- PUBLIC
- REFERENCES
- RESOURCE
- SELECT
- SETSESSIONAUTH
- SPL
- UPDATE
Because role names are authorization identifiers, rather than SQL identifiers, the maximum length of a role name is 32 bytes.
A role name must
be different from existing role names in the same database. A role
name must also be different from user names that are known to the
operating system, including network users known to the server computer.
To make sure that your new role name is unique, check the names of
the users in the shared memory structure who are currently using the
database, and in the following system catalog tables:
- sysusers
- systabauth
- syscolauth
- sysfragauth
- sysprocauth
- sysroleauth
- syssecpolicyexemptions
- sysxtdtypeauth
When the situation is reversed and you are adding a user to the database, check that the user name is not the same as any of the existing role names.
After you approve the role name, use
the CREATE ROLE statement to create a new role. After the role is
created, all privileges for role administration are, by default, given
to the DBA.
Important: The scope of a role is the current
database only. When you execute the SET ROLE statement, the specified
role takes effect in the current database only. As a security precaution,
a user who holds access privileges only through a role cannot access
tables in a remote database through a view, trigger, or procedure.