top of page



CREATE ROLE [IF NOT EXISTS] role [, role ] ...

CREATE ROLE creates one or more roles, which are named collections of
privileges. To use this statement, you must have the global CREATE ROLE
or CREATE USER privilege. When the read_only system variable is
enabled, CREATE ROLE additionally requires the CONNECTION_ADMIN
privilege (or the deprecated SUPER privilege).

A role when created is locked, has no password, and is assigned the
default authentication plugin. (These role attributes can be changed
later with the ALTER USER statement, by users who have the global
CREATE USER privilege.)

CREATE ROLE either succeeds for all named roles or rolls back and has
no effect if any error occurs. By default, an error occurs if you try
to create a role that already exists. If the IF NOT EXISTS clause is
given, the statement produces a warning for each named role that
already exists, rather than an error.

The statement is written to the binary log if it succeeds, but not if
it fails; in that case, rollback occurs and no changes are made. A
statement written to the binary log includes all named roles. If the IF
NOT EXISTS clause is given, this includes even roles that already exist
and were not created.

Each role name uses the format described in For example:

CREATE ROLE 'administrator', 'developer';
CREATE ROLE 'webapp'@'localhost';

The host name part of the role name, if omitted, defaults to '%'.

For role usage examples, see



bottom of page