CREATE USER

Use the CREATE USER command to create a user with additional clauses.

Synopsis

Syntax for creating a user:

CREATE USER <user-name> [WITH] [<create_user_clause>]...
<create_user_clause> ::=
            PASSWORD { 'string' | NULL }
        |   IN GROUP { <group-name> },...
        |   VALID UNTIL <valid-date>
        |   ROWSETLIMIT <limit>
        |   SESSIONTIMEOUT <limit>
        |   QUERYTIMEOUT <limit>
        |   DEFPRIORITY [critical|high|normal|low|none]
        |   MAXPRIORITY [critical|high|normal|low|none]
        |   SYSID <id-number>
        |   IN RESOURCEGROUP <group-name>
        |   SECURITY LABEL <label-string>
        |   SECURITY LABEL ' [<level>] : [<category>,]... :
            [<cohort>,]...'
        |   AUDIT CATEGORY { NONE | ' <category> ,...’ }
        |   COLLECT HISTORY { ON | OFF | DEFAULT }
        |   CONCURRENT SESSIONS <limit>
        |   ALLOW CROSS JOIN [TRUE|FALSE|NULL]
        |   ACCESS TIME { ALL | DEFAULT | ( <access-time>,... )
            <access-time> ::= DAY { ALL | <day>, ... } [ <time-bound> ]
            <time-bound>  ::= START <time-literal> END <time-literal> ]
        |   AUTH [LOCAL|DEFAULT]
        |   EXPIRE PASSWORD

Inputs

The CREATE USER command has the following additional inputs:

Table 1. CREATE USER inputs
Input	Description
SECURITY LABEL	Specifies the security label of a user. If a SECURITY LABEL is not specified, the default label ‘PUBLIC::’ is assigned. The label is surrounded by parentheses so that identifiers in the label do not conflict with keywords of the other user clauses.
AUDIT CATEGORY <category>	Specifies the audit categories of the users. One or more audit categories can be specified. The categories are added to the security label during audit logging.
COLLECT HISTORY [ ON \| OFF \| DEFAULT ]	Determines whether this session collects history of a user. ON indicates that history is collected for this user when connected to a database that also has COLLECT HISTORY ON. OFF indicates that history is not collected for this user. DEFAULT means to examine groups this user is a member of to determine whether to collect history. If any group has COLLECT HISTORY ON, then history is collected when connected to a database that also has COLLECT HISTORY ON. If no group has COLLECT HISTORY ON, but a group has COLLECT HISTORY OFF, then no history is collected. If all groups have DEFAULT history collection, the history is collected. DEFAULT is the default for a user, if the COLLECT HISTORY clause is not specified.
CONCURRENT SESSIONS <limit>	Sets the maximum number of concurrent sessions this user can have. A value of 0 means no limit to the number of concurrent sessions, unless a limit is imposed by a group of which this user is a member. In that case, the minimum limit of concurrent sessions across all such groups is used.
ALLOW CROSS JOIN [TRUE \| FALSE \| NULL]	Sets user or group permission to allow explicit cross joins. If NULL is defined for a user, the system checks against the group permission, and takes the lowest non-null value, where FALSE is lower than TRUE. This setting involves a system-wide change, so notify all affected users before making this change.
ACCESS TIME ALL	Indicates that this user can start sessions on the Netezza Performance Server system at any time on any day.
ACCESS TIME DEFAULT	Indicates that access time restrictions are taken from the groups this user is a member of. If no groups have access time restrictions, then the user can start sessions at any time on any day. The access time restriction is evaluated for every group that has one. If any group restricts access, the user cannot create a session. That is, the most restrictive access policy is applied.
access-time	Specifies one access time subclause; several can be specified. An access time subclause defines one or more days by the standard SQL day number (1 = Sunday, 7 = Saturday). The keyword ALL can be use to specify all days of the week; it is equivalent to 1,2,3,4,5,6,7. An access time subclause optionally contains one time bound. If no time bound is specified, then the user can create a session at any time on the specified day.
time-bound	Specifies a time range from a start time to an end time. The times can be specified as any valid SQL time literal. It is possible to repeat the same day specification multiple times with different time bounds.
AUTH [LOCAL \| DEFAULT]	Sets the overriding authentication for the user to LOCAL (checks the password against the local database/catalog), regardless of the connection setting. To revert this setting to the default setting, use AUTH DEFAULT.
EXPIRE PASSWORD	If this value is set while the user is logged in, it does not affect the current session, but requires the user to change their password the next time they log in.

Outputs

The CREATE USER command has the following output:

Table 2. CREATE USER output
Output	Description
ERROR: permission denied.	You must have Manage Security privilege to set the security label, audit category, or history collection of a user.

Description

The CREATE USER command has the following characteristics:

Privileges required: You must have Manage Security privilege to set the security label, audit category, or history collection of a user.
Common tasks: Use the CREATE USER command to create a user with additional clauses.

Usage

The following provides sample usage:

CREATE USER BOB WITH AUDIT CATEGORY TOP;