Creates a role that bundles privileges and can inherit from a parent role.
CREATE ROLE [IF NOT EXISTS] <name>
[INHERIT <parent_role>]
[COMMENT '<description>']## Overview CREATE ROLE registers a role principal in the RBAC catalog. Roles are granted to users, groups, and service principals and accumulate object-level privileges via GRANT statements. The optional INHERIT clause establishes a parent role from which privileges flow downward. ## Behavior - Without IF NOT EXISTS, creating a role that already exists raises an error. With IF NOT EXISTS, the existing role is left unchanged. - The parent role must already exist when INHERIT is specified. The Control Plane validates this and rejects the statement if the parent is missing. - A role with INHERIT effectively gains every privilege granted to its parent. Inheritance is transitive: if A inherits from B and B inherits from C, A inherits everything granted to C as well. - Names are validated against `[a-zA-Z_][a-zA-Z0-9_]*`. ## Access Control Requires the `ManageRoles` privilege. ## Compatibility DeltaForge extension.
| Name | Type | Description |
|---|---|---|
name | Specifies the role name. | |
parent_role | Specifies a parent role. The new role inherits all privileges granted to the parent. | |
comment | Optional human-readable description. | |
if_not_exists | When true, succeed silently if a role with this name already exists. |
-- Bare role
CREATE ROLE analyst;-- Role with a comment
CREATE ROLE data_engineer COMMENT 'Pipeline authors and operators';-- Role that inherits from a parent
CREATE ROLE data_lead INHERIT data_engineer COMMENT 'Pipeline owners with elevated grants';-- Idempotent bootstrap
CREATE ROLE IF NOT EXISTS analyst;