Use the CREATE ROLE statement to create a new role that is used to authenticate into YCQL and as a group of permissions is used to restrict operations on the database objects. Note that users are specific roles that are login enabled. There is no explicit CREATE USER command in YCQL.

This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication to true.






PASSWORD=<Text Literal>LOGIN=<Boolean Literal>SUPERUSER=<Boolean Literal>


create_role ::= CREATE ROLE [ IF NOT EXISTS ] role_name 
                [ WITH role_property [ AND ... ] ]

role_property ::=  PASSWORD = <Text Literal>
                 | LOGIN = <Boolean Literal>
                 | SUPERUSER = <Boolean Literal>


  • role_name is a text identifier.


  • An error is raised if role_name already exists unless the IF NOT EXISTS option is used.
  • By default, a role does not possess the LOGIN privilege nor SUPERUSER status.
  • A role with the SUPERUSER status possesses all the permissions on all the objects in the database even though they are not explicitly granted.
  • Only a role with the SUPERUSER status can create another SUPERUSER role.
  • A role with the LOGIN privilege can be used to authenticate into YQL.
  • Only a client with the permission CREATE on ALL ROLES or with the SUPERUSER status can create another role.


Create a simple role with no properties

ycqlsh:example> CREATE ROLE role1;

Create a SUPERUSER role

ycqlsh:example> CREATE ROLE role2 WITH SUPERUSER = true;

Create a regular user with ability to log in

You can create a regular user with login privileges as shown below. Note the SUPERUSER set to false.

ycqlsh:example> CREATE ROLE role3 WITH SUPERUSER = false AND LOGIN = true AND PASSWORD = 'aid8134'

See also