3.8.1 Specification format and rules for the CREATE ROLE statement
The CREATE ROLE statement defines a role.
- Organization of this subsection
(1) Specification format
CREATE-ROLE-statement ::= CREATE ROLE role-name [MAPPING WITH KEYCLOAK]
(2) Explanation of specification format
- ● role-name
-
Specifies the authorization identifier (role name) of the role to be defined.
An authorization identifier that is already in use cannot be specified (it cannot overlap with an HADB user's authorization identifier either).
For rules on specifying role names, see 6.1.4 Specifying names.
- ● MAPPING WITH KEYCLOAK
-
Specify this option when defining a role dedicated to the automatic role-mapping function.
To use the automatic role-mapping function, the user authentication method must be Keycloak authentication, and a client role with the same name as the role defined here must be defined on the Keycloak server. For details about the automatic role-mapping function, see Automatic role-mapping function in the HADB Setup and Operation Guide.
- Important
-
A role dedicated to the automatic role-mapping function defined by specifying this option cannot have its role usage privileges granted by an HADB user to other HADB users by executing the GRANT statement.
(3) Privileges required at execution
To execute the CREATE ROLE statement, the CONNECT privilege and DBA privilege are required.
(4) Rules
The HADB user who executes the CREATE ROLE statement is granted the role usage privilege of the defined role.
(5) Examples
- Example 1
-
Define a role (ROLE01).
CREATE ROLE "ROLE01"
- Example 2
-
Define a role (ROLE02) dedicated to the automatic role-mapping function.
CREATE ROLE "ROLE02" MAPPING WITH KEYCLOAK