GRANT ROLE statement is used to grant a role’s permissions and SUPERUSER status to another role. More than one role can be granted to another role, and the receiving role will possess the union of all the permissions from the roles granted to it (either directly of indirectly through inheritance) plus the SUPERUSER status if any of the roles granted to it has it. For example, if A is granted to B, and B is granted to C, C will be granted all the permissions from A and B, and if either A or B is a SUPERUSER, then C will also be a SUPERUSER.
Granted roles form an acyclic graph, in other words, a role cannot be granted to any of the roles granted to it either directly or indirectly. For example, if A is granted to B, and B granted to C, C cannot be granted to neither A, B, nor C.
This statement is enabled by setting the YB-TServer configuration option
grant_role ::= GRANT ROLE role_name TO role_name
role_nameis a text identifier.
- Both roles must exist or an error will be raised.
ALL ROLESor on the roles being used in the statement is necessary. Otherwise, an unauthorized error will be returned.
- If a role is granted to any role granted to it (either directly or indirectly), an error will be raised.
cqlsh:example> GRANT ROLE eng to robert;