Managing User Roles¶
A role is a set of access rights that you can grant to users in the same way you assign them specific privileges.
The section Roles of the Administration Guide explains what roles are with more detail.
The syntax of the commands to create a new role is the following:
CREATE [ OR REPLACE ] ROLE <name:identifier>
[ <description:literal> ]
[ <grant> ]*
<grant> ::= (see section Granting Privileges to a User/Role)
ALTER ROLE <name:identifier>
[ <description:literal> ]
[ <grant> ]*
<grant> ::= (see section Granting Privileges to a User/Role)
The access privileges that you can assign to a role and to a user are the same, work in the same way and the syntax of their commands is the same.
In addition, you can assign roles to other roles (this is called “Role inheritance”). For example, if you have the following roles:
A role
vdp_developer
with the privilegesCONNECT
,METADATA
,EXECUTE
,CREATE
andWRITE
over the databaseadmin
.A role
data_catalog_developer
with the privilegesCONNECT
,METADATA
,EXECUTE
,CREATE
andWRITE
over the databasecustomer_360
.
The following statements create these roles and a new role
denodo_developer
that has assigned the roles vdp_developer
and
data_catalog_developer
to it.
CREATE ROLE vdp_developer GRANT CONNECT, CREATE, METADATA, EXECUTE, WRITE ON admin;
CREATE ROLE data_catalog_developer GRANT CONNECT, CREATE, METADATA, EXECUTE, WRITE ON
customer_360;
CREATE ROLE denodo_developer GRANT ROLE vdp_developer,
data_catalog_developer;
The users that have the role denodo_developer
assigned to them will
have the privileges CONNECT
, METADATA
, EXECUTE
, CREATE
and WRITE
over
the databases admin
and customer_360
.
Note
As explained in the section Roles of the Administration Guide, the “effective permissions” of this user will be the union of the privileges of both roles.