CREATE USER statement (see Syntax of the CREATE USER statement) allows creating a new
user in the Server. There are two types of users:
“Administrator” users (created by adding the
ADMINparameter to this statement). These users can perform any action over any database. You cannot restrict the privileges of an administrator user.
Only administrator users can create administrator users.
“Normal” users. After creating them you have to grant them privileges so they can perform operations over the elements of the Server databases.
There are two authentication methods for Virtual DataPort users:
“Normal”: the credentials of the user are stored in Virtual DataPort.
“LDAP” (indicated with the
LDAPparameter): when the user tries to connect to the Server, the Server connects to an LDAP server to check that the password provided by the user is correct.
To use this authentication method, you have to create an LDAP data source that will be used to connect to the LDAP server, in order to check that the passwords provided by users are correct.
LDAPhas two parameters:
DATASOURCE. The syntax is
<databaseName>is the Virtual DataPort database where the LDAP data source is stored and
<dataSourceName>is the name of the data source.
USERNAME. It is the name of the user in the LDAP server. For example, the value
testuser in an organizational unit
Peoplefor the domain
CREATE [ OR REPLACE ] USER [ ADMIN ] <name:identifier> <authentication> [ <description:literal> ] [ <grant> ]* <authentication> ::= <password:literal> SHA512 | LDAP ( DATASOURCE <databaseName:identifier>.<dataSourceName:identifier> USERNAME <name:literal> )
<grant> ::= (see Syntax of the clauses GRANT/REVOKE of CREATE USER and ALTER USER)
The section Modifying the Privileges of a User explains how to modify the privileges of existing users.
SHA512 indicates that the password will be stored as a SHA512 hash.
The LDAP authentication of users is different from databases with LDAP authentication.
When the authentication type of a user is
LDAP, the LDAP
server is only used to check that the password provided by the user is
correct. However, the privileges of this user are still managed from
In a database with LDAP authentication, the privileges of the users are also obtained from the LDAP server.
We do not recommend creating users with LDAP authentication. Instead, create databases with LDAP authentication, which will simplify the management of users and their privileges. See more about this type of databases in the section Creating a Database with LDAP Authentication of the Administration Guide.
If an LDAP data source is deleted on cascade (see section Removing Elements from the Catalog), then the users depending on it will be also deleted. This operation can only be executed by an administrator user.
Creating a user with some privileges over the database “customer”:
-- Encrypt the password that you want the new user to have ENCRYPT_PASSWORD 'new password of the user'; -- Create the user CREATE OR REPLACE USER new_user '<result of the command ENCRYPT_PASSWORD>' ENCRYPTED TRANSFER GRANT CONNECT, METADATA, EXECUTE, WRITE ON customer;