CREATE USER

Creates a user identity in the catalog. Authentication material is provisioned separately by the identity provider; this command registers the principal so roles and grants can target it.

Category: securityPrivilege: ManageUsersDeltaForge extension

Syntax

CREATE USER [IF NOT EXISTS] <name>
  [DEFAULT_ROLE = <role>]
  [COMMENT '<description>']

Description

## Overview CREATE USER registers a user principal in the RBAC catalog. The principal is the target of role grants and direct object grants. Authentication itself is handled outside DeltaForge by the identity provider; this command does not store passwords or other auth material. ## Behavior - The standalone executor returns an error when no RBAC router is configured. Production deployments route the command to the Control Plane, which persists the user to the catalog database. - Without IF NOT EXISTS, creating a user that already exists raises an error. With IF NOT EXISTS, the existing user is left unchanged. - DEFAULT_ROLE must reference an existing role. The Control Plane validates this and rejects the statement otherwise. - Names are validated against `[a-zA-Z_][a-zA-Z0-9_]*`. Hyphens, spaces, and other special characters are rejected at parse time. ## Access Control Requires the `ManageUsers` privilege. The ACCOUNTADMIN role grants this privilege by default. ## Compatibility DeltaForge extension. The shape resembles standard SQL CREATE USER but the supported clauses (DEFAULT_ROLE, COMMENT) are DeltaForge specific; password and external-identity clauses are not part of this command.

Parameters

Name	Type	Description
`name`		Specifies the user name. Must match `[a-zA-Z_][a-zA-Z0-9_]*`. Names are stored case-preserved.
`default_role`		Specifies the role activated automatically when the user signs in. The role must already exist; the Control Plane validates this and rejects the statement if the role is missing.
`comment`		Optional human-readable description shown by SHOW USERS and DESCRIBE-style introspection.
`if_not_exists`		When true, succeed silently if a user with this name already exists.

Examples

-- Bare user, no default role
CREATE USER alice;

-- User with a default role
CREATE USER bob DEFAULT_ROLE = data_engineer COMMENT 'On-call rotation';

-- Idempotent bootstrap
CREATE USER IF NOT EXISTS alice;

Pitfalls

DEFAULT_ROLE references a role by name. If the named role does not exist, the Control Plane rejects the CREATE; the user is not partially created.
Validation requires names to match `[a-zA-Z_][a-zA-Z0-9_]*`. Hyphens and dots are rejected; quote-bypass is not supported.