3.11.1 Specification format and rules for the CREATE USER statement

The CREATE USER statement creates an HADB user.

Because no privileges are granted to the HADB user that is created, the GRANT statement must be used to grant the required privileges to the HADB user.

Organization of this subsection

(1) Specification format
(2) Explanation of specification format
(3) Privileges required at execution
(4) Rules
(5) Examples

(1) Specification format

Creating a HADB user that uses database authentication.

CREATE-USER-statement ::= CREATE USER authorization-identifier IDENTIFIED BY password

Creating an HADB user that uses PAM authentication.

CREATE-USER-statement ::= CREATE USER authorization-identifier IDENTIFIED WITH PAM

Creating an HADB user that uses Keycloak authentication

CREATE-USER-statement ::= CREATE USER authorization-identifier IDENTIFIED WITH KEYCLOAK

To Page Top

(2) Explanation of specification format

authorization-identifier

Specifies the authorization identifier of the HADB user to be created.

When using PAM authentication, the authorization identifier of the HADB user should be the same as the external user name (e.g., OS user name).

When using Keycloak authentication, the authorization identifier of the HADB user should be the same as the external user name (e.g., OS user name registered on the Keycloak server).

The rules for specifying an authorization identifier are as follows:

For details about the characters that can be used in the authorization identifier, see (2) Rules for characters that can be used in names in 6.1.4 Specifying names.
If you want to use lowercase letters in the authorization identifier, enclose the authorization identifier in double quotation marks (").

Example: CREATE USER "ADBuser01" ...

When not enclosed in double quotation marks, lowercase letters are treated as uppercase. For example, ADBuser01 is treated as ADBUSER01.
Because an authorization identifier is specified as a name, we recommend that you enclose it in double quotation marks (").
You cannot specify ALL, HADB, MASTER, or PUBLIC as an authorization identifier.
The authorization identifier cannot exceed 100 characters (100 bytes).

For details about the rules for specifying an authorization identifier, see 6.1.4 Specifying names.

● IDENTIFIED BY password

Specify a password for the HADB user that is to be created.

Note: The user authentication method for HADB users created with this option is database authentication. For details about database authentication, see Database authentication in the HADB Setup and Operation Guide.

The rules for specifying a password are as follows:

The password can include single-byte uppercase and lowercase letters, numbers, backslashes (\), as well as the following characters:

@ ` ! " # $ % & ' ( ) * : + ; [ ] { } , = < > | - . ^ ~ / ? _
Specify the password in the form of a character string literal. Therefore, you must enclose the password in single quotation marks. The following are examples:

Example 1: Specify Password01 as the password

IDENTIFIED BY 'Password01'

Example 2: Specify Pass'01 as the password

IDENTIFIED BY 'Pass''01'

If the password itself includes a single quotation mark ('), specify two single quotation marks to represent a single quotation mark (''), as shown in the example above.

For rules on specifying a character string literal, see Table 6‒12: Description formats and assumed data types of literals.
The password cannot be empty. That is, the following is not permitted:

IDENTIFIED BY ''
The password cannot exceed 255 characters (255 bytes).

Note

If you are using the JDBC driver, we recommend that you not use the following character in the password:

&
If you are using the ODBC driver, we recommend that you not use the following characters in the password:

[ ] { } ( ) , ; ? * = ! @

●IDENTIFIED WITH PAM

Specify this when you want to use PAM authentication for the user authentication method for the HADB user you are creating. For details about PAM authentication, see PAM authentication in the HADB Setup and Operation Guide.

●IDENTIFIED WITH KEYCLOAK

Specify this when you want to use Keycloak authentication for the user authentication method for the HADB user you are creating. For details about Keycloak authentication, see Keycloak authentication in the HADB Setup and Operation Guide.

To Page Top

(3) Privileges required at execution

To execute the CREATE USER statement, the DBA privilege and the CONNECT privilege are required.

To Page Top

(4) Rules

A maximum of 30,000 HADB users can be created.

To Page Top

(5) Examples

Example 1

Create a HADB user that uses database authentication. The authorization identifier and password are as follows.

Authorization identifier: ADBUSER01
Password: #HelloHADB_01

CREATE USER "ADBUSER01" IDENTIFIED BY '#HelloHADB_01'

Example 2

Create an HADB user using PAM authentication. The authorization identifier is OSUSER01, the same as the external user name (e.g., OS user name).

CREATE USER "OSUSER01" IDENTIFIED WITH PAM

Example 3

Create an HADB user using Keycloak authentication. The authorization identifier is KEYUSER01, the same as the external user name (e.g., OS user name registered on the Keycloak server).

CREATE USER "KEYUSER01" IDENTIFIED WITH KEYCLOAK

To Page Top