Add database users
Add database users to provide team members and applications access to the cluster's YugabyteDB database.
When you create a cluster in YugabyteDB Managed, you set up the database admin credentials, which you use to access the YugabyteDB database. Use this account to:
- add more database users
- assign privileges to users
- change your password, or the passwords of other users
YugabyteDB uses role-based access control (RBAC) to manage authorization. A database user's access is determined by the roles they are assigned. You should grant users only the privileges that they require.
Create and manage users and roles
To manage database users, first connect to your cluster using Cloud Shell or a client shell.
To create and manage database roles and users (users are roles with login privileges), use the following statements:
| I want to | YSQL Statement | YCQL Statement |
|---|---|---|
| Create a user or role. | CREATE ROLE | CREATE ROLE |
| Delete a user or role. | DROP ROLE | DROP ROLE |
| Assign privileges to a user or role. | GRANT | GRANT ROLE |
| Remove privileges from a user or role. | REVOKE | REVOKE ROLE |
| Change your own or another user's password. | ALTER ROLE | ALTER ROLE |
Create a database user
Add database users as follows:
- Add the user using the CREATE ROLE statement.
- Grant the user any roles they require using the GRANT statement.
- Authorize their network so that they can access the cluster. Refer to Assign IP allow lists.
- Send them the credentials.
YSQL
To add a database user in YSQL, use the CREATE ROLE statement as follows:
yugabyte=# CREATE ROLE <username> WITH LOGIN PASSWORD '<password>';
To grant a role to a user, use the GRANT statement as follows:
yugabyte=# GRANT <rolename> TO <username>;
Note
You can't create YSQL superusers in YugabyteDB Managed. To create another database administrator, grant theyb_superuser role. Refer to Database authorization in YugabyteDB Managed clusters.
YCQL
To add a database user in YCQL, use the CREATE ROLE statement as follows:
admin@ycqlsh> CREATE ROLE <username> WITH PASSWORD = '<password>' AND LOGIN = true;
To grant a role to a user, use the GRANT ROLE statement as follows:
admin@ycqlsh> GRANT ROLE <rolename> to <username>;
Change a user password
To change your own or another user's password, use the ALTER ROLE statement.
In YSQL, enter the following:
yugabyte=# ALTER ROLE <username> PASSWORD 'new-password';
In YCQL, enter the following:
cassandra@ycqlsh> ALTER ROLE <username> WITH PASSWORD = 'new-password';