Documentation Home
MySQL 9.5 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 41.4Mb
PDF (A4) - 41.5Mb
Man Pages (TGZ) - 272.3Kb
Man Pages (Zip) - 378.3Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb


15.7.1.11 SET ROLE Statement

SET ROLE {    DEFAULT  | NONE  | ALL  | ALL EXCEPTrole [,role ] ...  |role [,role ] ...}

SET ROLE modifies the current user's effective privileges within the current session by specifying which of its granted roles are active. Granted roles include those granted explicitly to the user and those named in themandatory_roles system variable value.

Examples:

SET ROLE DEFAULT;SET ROLE 'role1', 'role2';SET ROLE ALL;SET ROLE ALL EXCEPT 'role1', 'role2';

Each role name uses the format described inSection 8.2.5, “Specifying Role Names”. The host name part of the role name, if omitted, defaults to'%'.

Privileges that the user has been granted directly (rather than through roles) remain unaffected by changes to the active roles.

The statement permits these role specifiers:

  • DEFAULT: Activate the account default roles. Default roles are those specified withSET DEFAULT ROLE.

    When a user connects to the server and authenticates successfully, the server determines which roles to activate as the default roles. If theactivate_all_roles_on_login system variable is enabled, the server activates all granted roles. Otherwise, the server executesSET ROLE DEFAULT implicitly. The server activates only default roles that can be activated. The server writes warnings to its error log for default roles that cannot be activated, but the client receives no warnings.

    If a user executesSET ROLE DEFAULT during a session, an error occurs if any default role cannot be activated (for example, if it does not exist or is not granted to the user). In this case, the current active roles are not changed.

  • NONE: Set the active roles toNONE (no active roles).

  • ALL: Activate all roles granted to the account.

  • ALL EXCEPTrole [,role ] ...: Activate all roles granted to the account except those named. The named roles need not exist or be granted to the account.

  • role [,role ] ...: Activate the named roles, which must be granted to the account.

Note

SET DEFAULT ROLE andSET ROLE DEFAULT are different statements:

  • SET DEFAULT ROLE defines which account roles to activate by default within account sessions.

  • SET ROLE DEFAULT sets the active roles within the current session to the current account default roles.

For role usage examples, seeSection 8.2.10, “Using Roles”.