A role_name identifies a role.
<role_name> ::= <identifier>
The identifier may not exceed 32 characters in length.
1. The CREATE ROLE statement creates a role. This role is initially empty. Only database administrators can create roles. The new role name cannot be the same as the name of any other role, user, or user group.
2. You use the GRANT statement to assign privileges to a role. You use the REVOKE statement to revoke privileges from a role.
3. A role can be assigned to database users, user groups, or other roles using the GRANT statement and specifying the role name.
4. You use the ALTER USER or ALTER USERGROUP statement to specify which roles (assigned to a user or a user group) are used when opening a database session.
5. During a database session, you can use the SET statement to activate other roles assigned to the user or user group.
If a role is activated in a session, the current user of the session has all the privileges assigned to the role.
If a password has been assigned to a role, users assigned to that role can only activate it by entering the password in the SET statement.
The existence and properties of a role are registered in the database catalog as metadata. A user that creates a role becomes the owner of this role.
The roles assigned to the user or user group as a result of the ALTER USER and ALTER USERGROUP statements are activated as soon as a database session is opened.
All roles are inactive for the current database session while data definition statements are being executed.