> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorization in CockroachDB

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.).

This page describes authorization of SQL users on particular <InternalLink path="architecture/glossary#cluster">CockroachDB database clusters</InternalLink>. This is distinct from authorization of CockroachDB Cloud Console users on CockroachDB Cloud organizations.

Learn more about the <InternalLink version="cockroachcloud" path="authorization#overview-of-the-cockroachdb-cloud-authorization-model">CockroachDB Cloud authorization model</InternalLink>

## Authorization models

Authorization in CockroachDB is *unified*, meaning that a given SQL user's permissions on a given cluster are governed by the same policies in different contexts such as accessing the SQL shell or viewing data from the DB Console.

<Note>
  Starting in v22.2, CockroachDB introduces a new granular [system-level privilege model](#supported-privileges) that provides finer control over a user's ability to work with the database. This new system-level privilege model is intended to replace the existing [role options model](#role-options) in a future release of CockroachDB. As such, any legacy role options that now have corresponding system-level privilege versions are **deprecated in CockroachDB v22.2**, though both are supported alongside each other in v22.2. We recommend familiarizing yourself with the new system-level privilege model, and implementing it where possible.
</Note>

CockroachDB offers two authorization models:

| Authorization Model                              | Features                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [System-level Privileges](#supported-privileges) | <ul><li>Introduced in CockroachDB v22.2.</li><li>Supported in CockroachDB v22.2, alongside the existing role options.</li><li>Apply cluster-wide. A system-level privilege is granted at the cluster level, and is inherited via role membership, similar to how [object-level privileges](#privileges) are inherited.</li><li>Are granted with the <InternalLink path="grant">`GRANT`</InternalLink> statement using the `SYSTEM` parameter, and viewed with the <InternalLink path="show-system-grants">`SHOW SYSTEM GRANTS`</InternalLink> statement.</li><li>May be assigned with the <InternalLink path="grant">`GRANT OPTION`</InternalLink>, which allows the assigned user or role to further grant that same system-level privilege to other users or roles.</li></ul> |
| [Role Options](#role-options)                    | <ul><li> [Specific role options](#supported-privileges) which have had corresponding system-level privileges introduced in CockroachDB v22.2 are now **deprecated**.</li><li>Supported in CockroachDB v22.2, alongside the new system-level privileges.</li><li>Apply only to specific users, and are not inheritable via role membership.</li><li>Are granted with the <InternalLink path="grant">`GRANT`</InternalLink> statement, and viewed with the <InternalLink path="show-grants">`SHOW GRANTS`</InternalLink> statement.</li><li>May be assigned with the <InternalLink path="grant">`GRANT OPTION`</InternalLink>, which allows the assigned user or role to further grant that same role option to other users or roles.</li></ul>                                   |

If a system-level privilege exists with the same name as a role option, the system-level privilege should be used.

## Users and roles

Both [authorization models](#authorization-models) make use of the concept of user and roles. There is no technical distinction between a role or user in CockroachDB. A role/user can:

* Be permitted to log in to the <InternalLink path="cockroach-sql">SQL shell</InternalLink>.
* Be granted [privileges](#privileges) to specific actions and database objects.
* Be a member of other users/roles, inheriting their privileges.
* Have other users/roles as members that inherit its privileges.
* Be configured with other [role options](#role-options).

We refer to these as "roles" when they are created for managing the privileges of their member "users" and not for logging in directly, which is typically reserved for "users".

The SQL statements <InternalLink path="create-user">`CREATE USER`</InternalLink> and <InternalLink path="create-role">`CREATE ROLE`</InternalLink> will create the same entity with one exception: `CREATE ROLE` will add the `NOLOGIN` option by default, preventing the user/role from being used to log in. Otherwise, for enhanced PostgreSQL compatibility, the keywords `ROLE` and `USER` can be used interchangeably in SQL statements.

Throughout the documentation, however, we will refer to a "user" or "role" based on the intended purpose of the entity.

## SQL users

A SQL user can interact with a CockroachDB database using the <InternalLink path="cockroach-sql">built-in SQL shell</InternalLink> or through an application.

### Create and manage users

Use the <InternalLink path="create-user">`CREATE USER`</InternalLink> and <InternalLink path="drop-user">`DROP USER`</InternalLink> statements to create and remove users, the <InternalLink path="alter-user">`ALTER USER`</InternalLink> statement to add or change a user's password and role options, the <InternalLink path="grant">`GRANT`</InternalLink> and <InternalLink path="revoke">`REVOKE`</InternalLink> statements to manage the user’s privileges, and the <InternalLink path="show-users">`SHOW USERS`</InternalLink> statement to list users.

A new user must be granted the required privileges for each database and table that the user needs to access.

<Note>
  By default, a new user belongs to the `public` role and has no privileges other than those assigned to the `public` role.
</Note>

### Reserved identities

These identities are reserved within CockroachDB. These identities are created automatically and cannot be removed.

| Identity                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `node`                     | Used for all internode communications and for executing internal SQL operations that are run as part of regular node background processes. The `node` user does not appear when listing a cluster's users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| <a id="root-user" />`root` | Used for administrator access in cases where it is required to manage other admins, such as when deploying a new cluster. The `root` user is created by default for each cluster. The `root` user is assigned to the [`admin` role](#admin-role) and has all privileges across the cluster.<br />For routine administration in production, Cockroach Labs recommends that you:<ul><li>Assign a password for the `root` user using the <InternalLink path="alter-user">`ALTER USER`</InternalLink> statement, and restrict access to the password.</li><li>Avoid relying on the `root` user, and instead <InternalLink path="authorization#create-and-manage-roles">grant the `admin` role</InternalLink> to users.</li></ul> |

In production, access to the `node` and `root` cluster certificates must be handled with care due to the broad level of access they confer on their holders.

## Roles

<Note>
  This section describes roles. For role options like `CREATEROLE`, see [role options](#role-options).
</Note>

A role is a group of users and/or other roles for which you can grant or revoke privileges as a whole. To simplify access management, create a role and grant privileges to the role, then create SQL users and grant them membership to the role.

### Default roles

The `admin` and `public` roles exist by default.

#### `admin` role

The `admin` role is created by default and cannot be dropped. Users belonging to the `admin` role have all privileges for all database objects across the cluster. The `root` user belongs to the `admin` role by default.

An `admin` user is a member of the `admin` role. Only `admin` users can use <InternalLink path="create-role">`CREATE ROLE`</InternalLink> and <InternalLink path="drop-role">`DROP ROLE`</InternalLink>.

To assign a user to the `admin` role:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
> GRANT admin TO <username>;
```

#### `public` role

All new users and roles belong to the `public` role by default. You can grant and revoke the privileges on the `public` role.

### Terminology

#### Role admin

`Role admin` is a [role option](#role-options) that allows a given user or role to *administrate* itself, by granting and revoking it to other users and roles.

To create a `role admin`, use <InternalLink path="grant#grant-the-admin-option">`WITH ADMIN OPTION`</InternalLink>.

<Tip>
  The terms “`admin` role” and “`role admin`” can be confusing.
  The `admin` role is a role (specifically the role granting all privileges on all database resources across a cluster), whereas `role admin` is a role option that is either enabled or disabled or not on any given role or grant of a role to another user or role.

  Learn more about <InternalLink path="create-user#role-options">`role options`</InternalLink>.
</Tip>

#### Direct member

A user or role that is an immediate member of the role.

Example: A is a member of B.

#### Indirect member

A user or role that is a member of the role by association.

Example: A is a member of C ... is a member of B where "..." is an arbitrary number of memberships.

## Object ownership

All CockroachDB objects (such as databases, tables, schemas, and types) must have owners. The user that created the object is the default owner of the object and has `ALL` privileges on the object. Similarly, any roles that are members of the owner role also have all privileges on the object.

All objects that do not have owners (for example, objects created before upgrading to v20.2) have `admin` set as the default owner, with the exception of system objects. System objects without owners have `node` as their owner.

To allow another user to use the object, the owner can [assign privileges](#managing-privileges) to the other user. Members of the `admin` role have `ALL` privileges on all objects.

Users that own objects cannot be dropped until the <InternalLink path="alter-database">ownership is transferred to another user</InternalLink>.

## Privileges

When a user connects to a database, either via the built-in SQL client or a client driver, CockroachDB checks the user and role's privileges for each statement executed. If the user does not have sufficient privileges for a statement, CockroachDB gives an error.

### Supported privileges

System-level privileges (also known as global privileges) offer more granular control over a user's actions when working with CockroachDB, compared to the <InternalLink path="create-role#role-options">role options authorization model</InternalLink>.

You can work with system-level privileges using the <InternalLink path="grant">`GRANT `</InternalLink> statement with the `SYSTEM` parameter, and the <InternalLink path="show-system-grants">`SHOW SYSTEM GRANTS`</InternalLink> statement.

Roles and users can be granted the following privileges:

| Privilege                                                         | Levels                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| ----------------------------------------------------------------- | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ALL`                                                             | System, Database, Schema, Table, Sequence, Type | For the object to which `ALL` is applied, grants all privileges at the system, database, schema, table, sequence, or type level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| `BACKUP`                                                          | System, Database, Table                         | Grants the ability to create <InternalLink path="backup-and-restore-overview">backups</InternalLink> at the system, database, or table level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `CANCELQUERY`                                                     | System                                          | Grants the ability to cancel queries.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| `CHANGEFEED`                                                      | Table                                           | Grants the ability to create <InternalLink path="change-data-capture-overview">changefeeds</InternalLink> on a table.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| <a id="connect" /> `CONNECT`                                      | Database                                        | Grants the ability to view a database's metadata, which consists of objects in a database's `information_schema` and `pg_catalog` system catalogs. This allows the role to view the database's table, schemas, user-defined types, and list the database when running `SHOW DATABASES`. The `CONNECT` privilege is also required to run backups of the database.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| `CONTROLJOB`                                                      | System                                          | Grants the ability to <InternalLink path="pause-job">pause</InternalLink>, <InternalLink path="resume-job">resume</InternalLink>, and <InternalLink path="cancel-job">cancel</InternalLink> jobs. Non-admin roles cannot control jobs created by admin roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `CREATE`                                                          | Database, Schema, Table, Sequence               | Grants the ability to create objects at the database, schema, table, or sequence level. When applied at the database level, grants the ability to configure <InternalLink path="zone-config-extensions">multi-region zone configs</InternalLink>. In CockroachDB v23.2 and later, the <InternalLink path="cluster-settings">cluster setting</InternalLink> `sql.auth.public_schema_create_privilege.enabled` controls whether users receive `CREATE` privileges on the public schema or not. The setting applies at the time that the <InternalLink path="create-schema">public schema is created</InternalLink>, which happens whenever <InternalLink path="create-database">a database is created</InternalLink>. The setting is `true` by default, but can be set to `false` for increased compatibility with [PostgreSQL version 15](https://www.postgresql.org/about/news/postgresql-15-released-2526/) as described in [this commit](https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b073c3ccd06e4cb845e121387a43faa8c68a7b62). |
| `CREATEDB`                                                        | System                                          | Grants the ability to <InternalLink path="create-database">create</InternalLink> or <InternalLink path="alter-database#rename-to">rename</InternalLink> a database.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| `CREATELOGIN`                                                     | System                                          | Grants the ability to manage authentication using the `WITH PASSWORD`, `VALID UNTIL`, and `LOGIN`/`NOLOGIN` role options.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| `CREATEROLE`                                                      | System                                          | Grants the ability to <InternalLink path="create-role">create</InternalLink>, modify, or <InternalLink path="drop-role">delete</InternalLink> non-admin roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| `DELETE`                                                          | Table, Sequence                                 | Grants the ability to delete objects at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `DROP`                                                            | Database, Table, Sequence                       | Grants the ability to drop objects at the database, table, or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `EXECUTE`                                                         | Function                                        | Grants the ability to execute <InternalLink path="functions-and-operators">functions</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `EXTERNALCONNECTION`                                              | System                                          | Grants the ability to connect to external systems such as object stores, key management systems, Kafka feeds, or external file systems. Often used in conjunction with the `BACKUP`, `RESTORE`, and `CHANGEFEED` privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `EXTERNALIOIMPLICITACCESS`                                        | System                                          | Grants the ability to interact with external resources that require implicit access.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `INSERT`                                                          | Table, Sequence                                 | Grants the ability to insert objects at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| <a id="modifyclustersetting" /> `MODIFYCLUSTERSETTING`            | System                                          | Grants the ability to modify <InternalLink path="cluster-settings">cluster settings</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| `MODIFYSQLCLUSTERSETTING`                                         | System                                          | Grants the ability to modify SQL <InternalLink path="cluster-settings">cluster settings</InternalLink> (cluster settings prefixed with `sql.`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| `NOSQLLOGIN`                                                      | System                                          | Prevents roles from connecting to the SQL interface of a cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| <a id="repaircluster" /> `REPAIRCLUSTER`, `REPAIRCLUSTERMETADATA` | System                                          | Grants the ability to perform cluster debugging and repair operations, including: edit <InternalLink path="show-create-schedule">scheduled jobs</InternalLink>, edit <InternalLink path="show-create-external-connection">external connections</InternalLink>, <InternalLink path="ui-transactions-page#transaction-statistics">reset SQL statistics</InternalLink>, update <InternalLink path="configure-replication-zones">zone configurations</InternalLink>, <InternalLink path="alter-range#relocate">relocate ranges</InternalLink>, and check for constraint violations with <InternalLink version="releases" path="cockroachdb-feature-availability">`SCRUB`</InternalLink>. See also: [`VIEWCLUSTERMETADATA`](#viewclustermetadata).                                                                                                                                                                                                                                                                                                            |
| `REPLICATION`                                                     | System                                          | Grants the ability to create a <InternalLink path="logical-data-replication-overview">logical data replication</InternalLink> or <InternalLink path="physical-cluster-replication-overview">physical cluster replication</InternalLink> stream.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| `RESTORE`                                                         | System, Database                                | Grants the ability to restore <InternalLink path="backup-and-restore-overview">backups</InternalLink> at the system or database level. Refer to `RESTORE` <InternalLink path="restore#required-privileges">Required privileges</InternalLink> for more details.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| `SELECT`                                                          | Table, Sequence                                 | Grants the ability to run <InternalLink path="query-data">selection queries</InternalLink> at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| `TRIGGER`                                                         | Table                                           | Grants the ability to create <InternalLink path="triggers">triggers</InternalLink> on a table.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| `UPDATE`                                                          | Table, Sequence                                 | Grants the ability to run <InternalLink path="update-data">update statements</InternalLink> at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `USAGE`                                                           | Schema, Sequence, Type                          | Grants the ability to use <InternalLink path="schema-design-overview">schemas</InternalLink>, <InternalLink path="create-sequence">sequences</InternalLink>, or <InternalLink path="create-type">user-defined types</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| <a id="viewactivity" /> `VIEWACTIVITY`                            | System                                          | Grants the ability to view other user's activity statistics of a cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <a id="viewactivityredacted" /> `VIEWACTIVITYREDACTED`            | System                                          | Grants the ability to view other user's activity statistics, but prevents the role from accessing the statement diagnostics bundle in the DB Console, and viewing some columns in introspection queries that contain data about the cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| <a id="viewclustermetadata" /> `VIEWCLUSTERMETADATA`              | System                                          | Grants the ability to view range information, data distribution, store information, and Raft information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <a id="viewclustersetting" /> `VIEWCLUSTERSETTING`                | System                                          | Grants the ability to view <InternalLink path="cluster-settings">cluster settings</InternalLink> and their values.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| <a id="viewdebug" /> `VIEWDEBUG`                                  | System                                          | Grants the ability to view the <InternalLink path="ui-debug-pages">Advanced Debug Page</InternalLink> of the DB Console and work with the debugging and profiling endpoints.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| <a id="viewjob" /> `VIEWJOB`                                      | System                                          | Grants the ability to view <InternalLink path="show-jobs">jobs</InternalLink> on the cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `VIEWSYSTEMTABLE`                                                 | System                                          | Grants read-only access (`SELECT`) on all tables in the `system` database, without granting the ability to modify the cluster. This privilege was introduced in v23.1.11.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| `ZONECONFIG`                                                      | Database, Table, Sequence                       | Grants the ability to configure <InternalLink path="configure-replication-zones">replication zones</InternalLink> at the database, table, and sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |

If a system-level privilege exists with the same name as a role option, the system-level privilege should be used. Some role options do not have a corresponding system-level privilege, since they configure per-user attributes. For those system-level privileges that replace legacy role options (such as `VIEWACTIVITY`), if both the system-level privilege and its legacy role option are specified for a user/role, the system-level privilege will take precedence and the legacy role option will be ignored.

### Managing privileges

Use the <InternalLink path="grant">`GRANT`</InternalLink> and <InternalLink path="revoke">`REVOKE`</InternalLink> statements to manage privileges for users and roles.

Take the following points into consideration while granting privileges to roles and users:

* When a role or user is granted privileges for a database, that role or user is not automatically granted access to any new or existing objects within that database. To change access to those objects, see [Default privileges](#default-privileges). This does not apply to system-level privileges, which apply cluster-wide.
* When a role or user is granted privileges for a table, the privileges are limited to the table.
* In CockroachDB, privileges are granted to users and roles at the database and table levels, or cluster-wide at the system level. They are not yet supported for other granularities such as columns or rows.
* The `root` user automatically belongs to the `admin` role and has the `ALL` privilege for new databases.
* For privileges required by specific statements, see the documentation for the respective <InternalLink path="sql-statements">SQL statement</InternalLink>.

### Default privileges

By default, CockroachDB grants the current role/user `ALL` privileges on the objects that they create.

To view the default privileges for a role, or for a set of roles, use the <InternalLink path="show-default-privileges">`SHOW DEFAULT PRIVILEGES`</InternalLink> statement.

To change the default privileges on objects that a user creates, use the <InternalLink path="alter-default-privileges">`ALTER DEFAULT PRIVILEGES`</InternalLink> statement.

The creator of an object is also the object's [owner](#object-ownership). Any roles that are members of the owner role have `ALL` privileges on the object, independent of the default privileges. Altering the default privileges of objects created by a role does not affect that role's privileges as the object's owner. The default privileges granted to other users/roles are always in addition to the ownership (i.e., `ALL`) privileges given to the creator of the object.

For more examples of default privileges, see the examples on the <InternalLink path="show-default-privileges#examples">`SHOW DEFAULT PRIVILEGES`</InternalLink> and <InternalLink path="alter-default-privileges#examples">`ALTER DEFAULT PRIVILEGES`</InternalLink> statement pages.

## Authorization best practices

We recommend the following best practices to set up access control for your clusters:

* Use the `root` user only for database administration tasks such as creating and managing other [users](#sql-users), creating and managing [roles](#roles), and creating and managing databases. Do not use the `root` user for applications; instead, create users or roles with specific [privileges](#managing-privileges) based on your application’s access requirements.

* Use the [Principle of Least Privilege (PoLP)](https://wikipedia.org/wiki/Principle_of_least_privilege) as a golden rule when to designing your system of privilege grants.

  For improved performance, CockroachDB securely caches <InternalLink path="authentication#client-authentication">authentication information for users</InternalLink>. To limit the authentication latency of users logging into a new session, we recommend the following best practices for `ROLE` operations (<InternalLink path="create-role">`CREATE ROLE`</InternalLink>, <InternalLink path="alter-role">`ALTER ROLE`</InternalLink>, <InternalLink path="drop-role">`DROP ROLE`</InternalLink>):

* Run bulk `ROLE` operations inside a transaction.

* Run regularly-scheduled `ROLE` operations together, rather than at different times throughout the day.

* Generally, if a [system-level privilege](#supported-privileges) exists with the same name as a [role option](#role-options), the system-level privilege should be used.
