CREATE ROLE [IF NOT EXISTS] role [, role ] ...
CREATE ROLE
creates one or more
roles, which are named collections of privileges. To use this
statement, you must have the global CREATE
ROLE
or CREATE USER
privilege. When the read_only
system variable is enabled, CREATE
ROLE
additionally requires the
CONNECTION_ADMIN
privilege (or
the deprecated SUPER
privilege).
A role when created is locked, has no password, and is assigned
the default authentication plugin. (These role attributes can be
changed later with the ALTER USER
statement, by users who have the global
CREATE USER
privilege.)
CREATE ROLE
either succeeds for
all named roles or rolls back and has no effect if any error
occurs. By default, an error occurs if you try to create a role
that already exists. If the IF NOT EXISTS
clause is given, the statement produces a warning for each named
role that already exists, rather than an error.
The statement is written to the binary log if it succeeds, but
not if it fails; in that case, rollback occurs and no changes
are made. A statement written to the binary log includes all
named roles. If the IF NOT EXISTS
clause is
given, this includes even roles that already exist and were not
created.
Each role name uses the format described in Section 8.2.5, “Specifying Role Names”. For example:
CREATE ROLE 'admin', 'developer';
CREATE ROLE 'webapp'@'localhost';
The host name part of the role name, if omitted, defaults to
'%'
.
For role usage examples, see Section 8.2.10, “Using Roles”.