Create a role

To start the role creation process, determine the name of the role and the connections and privileges that you want to grant to users who hold that role. Although the connections and privileges are strictly in your domain, you must consider some factors when you declare the name of a new role. For the name of a user-defined role, do not use any of the following SQL keywords, access privileges, or built-in roles:
  • ALTER
  • C
  • CONNECT
  • DBA
  • DBSECADM
  • DEFAULT
  • DELETE
  • EXECUTE
  • EXTEND
  • INDEX
  • INSERT
  • NONE
  • NULL
  • PUBLIC
  • REFERENCES
  • RESOURCE
  • SELECT
  • SETSESSIONAUTH
  • SPL
  • UPDATE

Because role names are authorization identifiers, rather than SQL identifiers, the maximum length of a role name is 32 bytes.

A role name must be different from existing role names in the same database. A role name must also be different from user names that are known to the operating system, including network users known to the server computer. To make sure that your new role name is unique, check the names of the users in the shared memory structure who are currently using the database, and in the following system catalog tables:
  • sysusers
  • systabauth
  • syscolauth
  • sysfragauth
  • sysprocauth
  • sysroleauth
  • syssecpolicyexemptions
  • sysxtdtypeauth

When the situation is reversed and you are adding a user to the database, check that the user name is not the same as any of the existing role names.

After you approve the role name, use the CREATE ROLE statement to create a new role. After the role is created, all privileges for role administration are, by default, given to the DBA.
Important: The scope of a role is the current database only. When you execute the SET ROLE statement, the specified role takes effect in the current database only. As a security precaution, a user who holds access privileges only through a role cannot access tables in a remote database through a view, trigger, or procedure.