docs/content/v2024.1/secure/authorization/create-roles-ycql.md
Roles in YCQL can represent individual users or a group of users. Users are a role that has login permissions.
You manage roles and users using the CREATE ROLE, GRANT ROLE, REVOKE ROLE, and DROP ROLE statements.
{{< note title="YCQL and case sensitivity" >}}
Like CQL, YCQL is case-insensitive by default. When specifying an identifier, such as the name of a table or role, YCQL automatically converts the identifier to lowercase. For example, CREATE ROLE Alice creates the role "alice". To use a case-sensitive name for an identifier, enclose the name in quotes. For example, to create the role "Alice", use CREATE ROLE "Alice".
{{< /note >}}
You can create roles with the CREATE ROLE command.
For example, to create a role engineering for an engineering team in an organization, do the following (add the IF NOT EXISTS clause in case the role already exists):
cassandra@ycqlsh> CREATE ROLE IF NOT EXISTS engineering;
Roles that have LOGIN permissions are users. For example, create a user john as follows:
cassandra@ycqlsh> CREATE ROLE IF NOT EXISTS john WITH PASSWORD = 'PasswdForJohn' AND LOGIN = true;
Read about how to create users in YugabyteDB in the authentication section.
You can grant a role to another role (which can be a user), or revoke a role that has already been granted. Executing the GRANT ROLE and the REVOKE ROLE operations requires the AUTHORIZE permission on the role being granted or revoked.
For example, you can grant the engineering role you created above to the user john as follows:
cassandra@ycqlsh> GRANT engineering TO john;
Read more about granting privileges.
In YCQL, you can create a hierarchy of roles. The permissions of any role in the hierarchy flows downward.
For example, you can create a developer role that inherits all the permissions from the engineering role.
First, create the developer role.
cassandra@ycqlsh> CREATE ROLE IF NOT EXISTS developer;
Next, GRANT the engineering role to the developer role.
cassandra@ycqlsh> GRANT engineering TO developer;
You can list all the roles by running the following command:
cassandra@ycqlsh> SELECT role, can_login, is_superuser, member_of FROM system_auth.roles;
You should see the following output:
role | can_login | is_superuser | member_of
-------------+-----------+--------------+-----------------
john | True | False | ['engineering']
developer | False | False | ['engineering']
engineering | False | False | []
cassandra | True | True | []
(4 rows)
In the table above, note the following:
cassandra role is the built-in superuser.john can log in, and hence is a user. Note that john is not a superuser.engineering and developer cannot log in.john and developer inherit the role engineering.Revoke roles using the REVOKE ROLE command.
For example, you can revoke the engineering role from the user john as follows:
cassandra@ycqlsh> REVOKE engineering FROM john;
Listing all the roles now shows that john no longer inherits from the engineering role:
cassandra@ycqlsh> SELECT role, can_login, is_superuser, member_of FROM system_auth.roles;
role | can_login | is_superuser | member_of
-------------+-----------+--------------+-----------------
john | True | False | []
developer | False | False | ['engineering']
engineering | False | False | []
cassandra | True | True | []
(4 rows)
Drop roles using the DROP ROLE command.
For example, you can drop the developer role with the following command:
cassandra@ycqlsh> DROP ROLE IF EXISTS developer;
The developer role is no longer present when listing all the roles:
cassandra@ycqlsh> SELECT role, can_login, is_superuser, member_of FROM system_auth.roles;
role | can_login | is_superuser | member_of
-------------+-----------+--------------+-----------
john | True | False | []
engineering | False | False | []
cassandra | True | True | []
(3 rows)