CREATE ROLE (Transact-SQL)
Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW) SQL analytics endpoint in Microsoft Fabric Warehouse in Microsoft Fabric SQL database in Microsoft Fabric
Creates a new database role in the current database.
Transact-SQL syntax conventions
Syntax
CREATE ROLE role_name [ AUTHORIZATION owner_name ]
Arguments
role_name
Is the name of the role to be created.
AUTHORIZATION owner_name
Is the database user or role that is to own the new role. If no user is specified, the role will be owned by the user that executes CREATE ROLE. The owner of the role, or any member of an owning role can add or remove members of the role.
Remarks
Roles are database-level securables. After you create a role, configure the database-level permissions of the role by using GRANT, DENY, and REVOKE. To add members to a database role, use ALTER ROLE (Transact-SQL). For more information, see Database-Level Roles.
Database roles are visible in the sys.database_role_members and sys.database_principals catalog views.
For information about designing a permissions system, see Getting Started with Database Engine Permissions.
Caution
Beginning with SQL Server 2005, the behavior of schemas changed. As a result, code that assumes that schemas are equivalent to database users may no longer return correct results. Old catalog views, including sysobjects, should not be used in a database in which any of the following DDL statements have ever been used: CREATE SCHEMA, ALTER SCHEMA, DROP SCHEMA, CREATE USER, ALTER USER, DROP USER, CREATE ROLE, ALTER ROLE, DROP ROLE, CREATE APPROLE, ALTER APPROLE, DROP APPROLE, ALTER AUTHORIZATION. In such databases you must instead use the new catalog views. The new catalog views take into account the separation of principals and schemas that was introduced in SQL Server 2005. For more information about catalog views, see Catalog Views (Transact-SQL).
Permissions
Requires CREATE ROLE permission on the database or membership in the db_securityadmin fixed database role. When you use the AUTHORIZATION option, the following permissions are also required:
To assign ownership of a role to another user, requires IMPERSONATE permission on that user.
To assign ownership of a role to another role, requires membership in the recipient role or ALTER permission on that role.
To assign ownership of a role to an application role, requires ALTER permission on the application role.
Examples
The following examples all use the AdventureWorks database.
A. Creating a database role that is owned by a database user
The following example creates the database role buyers
that is owned by user BenMiller
.
CREATE ROLE buyers AUTHORIZATION BenMiller;
GO
B. Creating a database role that is owned by a fixed database role
The following example creates the database role auditors
that is owned the db_securityadmin
fixed database role.
CREATE ROLE auditors AUTHORIZATION db_securityadmin;
GO
See Also
Principals (Database Engine)
ALTER ROLE (Transact-SQL)
DROP ROLE (Transact-SQL)
EVENTDATA (Transact-SQL)
sp_addrolemember (Transact-SQL)
sys.database_role_members (Transact-SQL)
sys.database_principals (Transact-SQL)
Getting Started with Database Engine Permissions