> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage Cluster User Authorization

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

This page documents procedures for managing the lifecycle of SQL users and roles on CockroachDB clusters.

Procedures for managing access are covered in <InternalLink version="cockroachcloud" path="managing-access">Managing Access in CockroachDB CockroachDB Cloud</InternalLink>.

<Note>
  The concept of *Organization user* is distinct from Authorization of *SQL user/role* on clusters is distinct from authorization of CockroachDB CockroachDB Cloud users within CockroachDB CockroachDB Cloud organizations.

  Learn more: <InternalLink version="cockroachcloud" path="authorization#overview-of-the-cockroachdb-cloud-authorization-model">Overview of the CockroachDB Cloud authorization model</InternalLink>
  For reference documentation and explanation of related concepts, see <InternalLink path="security-reference/authorization">Security Reference — Authorization</InternalLink>.
</Note>

## Create CockroachDB users

Use the <InternalLink path="create-user">`CREATE USER`</InternalLink> and <InternalLink path="drop-user">`DROP USER`</InternalLink> statements to create and remove users, the <InternalLink path="alter-user">`ALTER USER`</InternalLink> statement to add or change a user's password and role options, the <InternalLink path="grant">`GRANT`</InternalLink> and <InternalLink path="revoke">`REVOKE`</InternalLink> statements to manage the user’s privileges, and the <InternalLink path="show-users">`SHOW USERS`</InternalLink> statement to list users.

A new user must be granted the required privileges for each database and table that the user needs to access.

<Note>
  By default, a new user belongs to the `public` role and has no privileges other than those assigned to the `public` role.
</Note>

## Create and manage roles

For examples showing how to create and manage your cluster's users and roles, refer to the following documentation:

| Statement                                                     | Description                                                                                                                                |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| <InternalLink path="create-role">`CREATE ROLE`</InternalLink> | Create SQL roles.                                                                                                                          |
| <InternalLink path="drop-role">`DROP ROLE`</InternalLink>     | Remove one or more SQL roles.                                                                                                              |
| <InternalLink path="alter-role">`ALTER ROLE`</InternalLink>   | Change passwords, role options, and default session variables for a role.                                                                  |
| <InternalLink path="create-user">`CREATE USER`</InternalLink> | Create SQL users.                                                                                                                          |
| <InternalLink path="create-user">`DROP USER`</InternalLink>   | Remove one or more SQL users.                                                                                                              |
| <InternalLink path="alter-user">`ALTER USER`</InternalLink>   | Change passwords and role options for a user.                                                                                              |
| <InternalLink path="grant">`GRANT`</InternalLink>             | Manage each role or user's SQL privileges for interacting with specific databases and tables, or add a role or user as a member to a role. |
| <InternalLink path="revoke">`REVOKE`</InternalLink>           | Revoke privileges from users and/or roles, or revoke a role or user's membership to a role.                                                |
| <InternalLink path="show-roles">`SHOW ROLES`</InternalLink>   | List the roles for all databases.                                                                                                          |
| <InternalLink path="show-grants">`SHOW GRANTS`</InternalLink> | List the privileges granted to users.                                                                                                      |

## See also

* <InternalLink path="connection-parameters">Client Connection Parameters</InternalLink>
* <InternalLink path="sql-statements">SQL Statements</InternalLink>
* <InternalLink path="create-user">`CREATE USER`</InternalLink>
* <InternalLink path="alter-user">`ALTER USER`</InternalLink>
* <InternalLink path="drop-user">`DROP USER`</InternalLink>
* <InternalLink path="show-users">`SHOW USERS`</InternalLink>
* <InternalLink path="create-role">`CREATE ROLE`</InternalLink>
* <InternalLink path="alter-role">`ALTER ROLE`</InternalLink>
* <InternalLink path="drop-role">`DROP ROLE`</InternalLink>
* <InternalLink path="show-roles">`SHOW ROLES`</InternalLink>
* <InternalLink path="grant">`GRANT`</InternalLink>
* <InternalLink path="revoke">`REVOKE`</InternalLink>
* <InternalLink path="show-grants">`SHOW GRANTS`</InternalLink>
