CREATE DATABASE ROLE¶
Create a new database role or replace an existing database role in the system.
创建数据库角色后,您可以为该数据库角色授予对象权限,然后将该数据库角色授予其他数据库角色或账户角色,以启用系统对象的访问控制安全性。
该命令支持以下变体:
- CREATE OR ALTER DATABASE ROLE: Creates a new database role if it doesn’t exist or alters an existing database role.
语法
变体语法
CREATE OR ALTER DATABASE ROLE¶
Creates a new database role if it doesn’t already exist, or transforms an existing database role into the role defined in the statement. A CREATE OR ALTER DATABASE ROLE statement follows the syntax rules of a CREATE DATABASE ROLE statement and has the same limitations as an ALTER DATABASE ROLE statement.
For more information, see CREATE OR ALTER DATABASE ROLE 使用说明.
必填参数
name指定数据库角色的标识符(即名称);对于创建角色的数据库来说必须是唯一的。
The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g.
"My object"). Identifiers enclosed in double quotes are also case-sensitive.If the identifier is not fully qualified in the form of
db_name.database_role_name, the command creates the database role in the current database for the session.For more details, see Identifier requirements.
可选参数
COMMENT = 'string_literal'指定数据库角色的注释。
默认:无值
访问控制要求
A role used to execute this operation must have the following privileges at a minimum:
| Privilege | Object | Notes |
|---|---|---|
| CREATE DATABASE ROLE | Database | A role with the OWNERSHIP privilege on the database can grant the CREATE DATABASE ROLE privilege to another account role. |
| OWNERSHIP | Database role | Required to execute a CREATE OR ALTER DATABASE ROLE statement for an existing database role. OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the [GRANT OWNERSHIP](/sql-reference/sql/grant-ownership) command to a different role by the owning role (or any role with the MANAGE GRANTS privilege). |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
一般使用说明
- You can create database roles in a catalog-linked database.
- When you create a database role, the USAGE privilege on the database that contains the database role is granted to the database role automatically.
Caution
Avoid recreating a database role (using the OR REPLACE keywords). Behind the scenes, recreating an object (using CREATE OR REPLACE <object>) first drops and then creates the object. Recreating a database role drops the database role from any shares that it is granted to. You must grant the database role to these shares again.
如果必须重新创建数据库角色,请通知包含该数据库角色的共享的任何数据使用者。他们必须再次向自己的账户角色授予数据库角色。
关于元数据:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
CREATE OR ALTER DATABASE ROLE 使用说明¶
- All limitations of the ALTER DATABASE ROLE command apply.
- Setting or unsetting a tag is not supported; however, existing tags are not altered by a CREATE OR ALTER DATABASE ROLE statement and remain unchanged.
示例
Create database role dr1 in database d1:
在与目录关联的数据库中创建数据库角色: