A role name (role_name) identifies a role.
<role_name> ::= <identifier>
An error message is displayed if the name has more than 32 characters.
1. The CREATE ROLE statement creates a role. Initially, the new role is empty. Only database administrators can create roles. The name of a new role cannot be the same as the name of an existing role, user, or user group.
2. You use the GRANT statement to assign privileges to a role. You use the REVOKE statement to revoke privileges from a role.
3. You can also use the GRANT statement together with the role name to assign a role to database users, user groups or other roles.
4. You use the ALTER USER or ALTER USERGROUP statement to specify which roles (assigned to a user or a user group) are used when opening a database session.
5.
During a database
session, you can use the SET statement to activate other roles assigned to the
user or user group.
If a role is activated in a session, the current user of the session has all
the privileges assigned to the role.
If a password has been defined
for a role, users assigned to this role can only activate it by specifying the
password in the SET statement.
The existence and properties of a role are registered in the database catalog as metadata. A user who creates a role becomes the owner of this role.
Any roles assigned to the user or user group with the ALTER USER or ALTER USERGROUP statements are activated when the database session is opened.
All roles are inactive for the current database session while data definition statements are being executed.