CREATE ROLE¶

创建新角色或替换系统中的现有角色。

创建角色后，您可以为该角色授予对象权限，然后将该角色授予其他角色或单个用户，以启用系统对象的访问控制安全性。

该命令支持以下变体：

CREATE OR ALTER ROLE: Creates a role if it doesn’t exist or alters an existing role.

语法

CREATE [ OR REPLACE ] ROLE [ IF NOT EXISTS ] <name>
  [ COMMENT = '<string_literal>' ]
  [ [ WITH ] TAG ( <tag_name> = '<tag_value>' [ , <tag_name> = '<tag_value>' , ... ] ) ]

变体语法

CREATE OR ALTER ROLE¶

Creates a new role if it doesn’t already exist, or transforms an existing role into the role defined in the statement. A CREATE OR ALTER ROLE statement follows the syntax rules of a CREATE ROLE statement and has the same limitations as an ALTER ROLE statement.

CREATE OR ALTER ROLE <name>
  [ COMMENT = '<string_literal>' ]

For more information, see CREATE OR ALTER ROLE 使用说明.

必填参数

name

角色的标识符；对于您的账户来说，必须是唯一的。

The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier requirements.

可选参数

COMMENT = 'string_literal'

指定角色的注释。

默认：无值

TAG ( tag_name = 'tag_value' [ , tag_name = 'tag_value' , ... ] )

Specifies the tag name and the tag string value.

The tag value is always a string, and the maximum number of characters for the tag value is 256.

For information about specifying tags in a statement, see Tag quotas.

访问控制要求

A role used to execute this operation must have the following privileges at a minimum:

Privilege	Object	Notes
CREATE ROLE	Account	Only the USERADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed.
OWNERSHIP	Database role	Required to execute a CREATE OR ALTER ROLE statement for an existing role. OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the [GRANT OWNERSHIP](/sql-reference/sql/grant-ownership) command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).

Privilege

Object

Notes

CREATE ROLE

Account

Only the USERADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed.

OWNERSHIP

Database role

Required to execute a CREATE OR ALTER ROLE statement for an existing role.

OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the [GRANT OWNERSHIP](/sql-reference/sql/grant-ownership) command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

一般使用说明

关于元数据：

Attention

Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

The OR REPLACE and IF NOT EXISTS clauses are mutually exclusive. They can’t both be used in the same statement.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

CREATE OR ALTER ROLE 使用说明¶

All limitations of the ALTER ROLE command apply.
Setting or unsetting a tag is not supported; however, existing tags are not altered by a CREATE OR ALTER ROLE statement and remain unchanged.

示例

CREATE ROLE myrole;