MySQL Roles and Users Management:

One difference between roles and users is that CREATE ROLE creates an authorization identifier
that is locked by default, whereas CREATE USER creates an authorization identifier that is
unlocked by default.

User Managements:

To create a new user in the MySQL database, you use the CREATE USER statement.

The basic syntax of the CREATE USER statement:

CREATE USER [IF NOT EXISTS] account_name IDENTIFIED BY 'password';

The username is the name of the user while the hostname is the name of the host from which the
user connects to the MySQL Server.

The hostname part of the account name is optional. If you omit the hostname, the user can
connect from any host.

An account name without a hostname is equivalent to the following:

username@%

If the username and hostname contain special characters, such as spaces or hyphens, you
need to enclose the username and hostname separately in quotes, like this:

'user-name'@'hostname'

In addition to the single quote ('), you can use backticks ( `) or double quotation mark (").

specify the password for the user after the IDENTIFIED BY keywords.

Example:

Create a new user:

CREATE USER naveen@localhost IDENTIFIED BY 'Naveen@2024';

List the users on the current MySQL Server:

SELECT user FROM mysql.user;

MySQL GRANT:

The CREATE USER statement creates a user account with no privileges. It means that the user
account can log in to the MySQL Server but cannot do anything such as selecting a database and
querying data from tables.
To enable the user account to work with database objects, you need to grant it privileges. You use
the GRANT statement to assign one or more privileges to the user account.

The basic syntax of the GRANT statement:

GRANT privilege [,privilege],.. ON privilege_level TO account_name;

MySQL privilege levels:

Global Privileges:

Global privileges apply to all databases in a MySQL Server. To assign all global privileges, you use
the *.* syntax, for example:

GRANT SELECT ON *.* TO naveen@localhost;

The account user naveen@localhost can manage all databases of the current MySQL Server.

Database privileges:

Database privileges apply to all objects in a particular database. To assign database-level

privileges, you use the ON database_name.* syntax, for example:

GRANT INSERT ON classicmodels.* TO naveen@localhost;

In this example, naveen@localhost can manage all objects in the classicmodels database.

Table privileges:

Table privileges apply to all columns in a table. To assign table-level privileges, you use the ON
database_name.table_name syntax. For example:

GRANT DELETE ON classicmodels.employees TO naveen@localhost;

In this example, naveen@localhost can manage rows from the employees table in the
classicmodels database.

If you skip the database name, MySQL uses the default database or issues an error if there is no
default database.

Column privileges:

Column privileges apply to individual columns within a table. You must specify the column or
columns for each privilege. For example:

GRANT SELECT (employeeNumber,lastName, firstName,email),UPDATE(lastName) ON

classicmodels.employees TO naveen@localhost;

In this example, naveen@localhost can select data from four columns:

employeeNumber, lastName, firstName, email

And updates only the lastName column in the employees table.

Stored routine privileges:

Stored routine privileges apply to stored procedures and stored functions. For example:

GRANT EXECUTE ON PROCEDURE getallproducts.classicmodels TO naveen@localhost;

In this example, naveen@localhost can execute the stored procedure getallproducts in the
classicmodels database.

Proxy user privileges:

Proxy user privileges allow one user to be a proxy for another. The proxy user gets all the privileges
of the proxied user. For example:

GRANT PROXY ON root TO naveen@localhost;

In this example, naveen@localhost assumes all privileges of the user root.

MySQL REVOKE:

The REVOKE statement revokes one or more privileges from a user account.

The REVOKE statement has several forms.

1)The basic syntax of the REVOKE statement that revokes one or more privileges from user
accounts:

REVOKE privilegee [,privilege].. ON [object_type] privilege_level FROM user1 [, user2] ..;

2)To revoke all privileges from a user, you use the following form of the REVOKE ALL
statement:

REVOKE ALL [PRIVILEGES], GRANT OPTION FROM user1 [, user2];

3)To revoke a proxy user, you use the REVOKE PROXY command:

REVOKE PROXY ON proxied_user FROM proxy_user1[,proxy_user1]...;

Roles management:

In MySQL, a role is a named collection of privileges that can be granted to user accounts or other
roles. This simplifies privilege management by allowing administrators to assign a set of privileges
to multiple users through a single role, rather than granting privileges individually to each user.

Setup sample database for the roles management:

USE crm;

CREATE TABLE customers(id INT PRIMARY KEY AUTO_INCREMENT,first_name VARCHAR(255)

NOT NULL,last_name VARCHAR(255) NOT NULL,phone VARCHAR(15) NOT NULL,email
VARCHAR(255));

INSERT INTO customers(first_name,last_name,phone,email)VALUES('John','Doe','(408)-987-

7654','[email protected]'),('Lily','Bush','(408)-987-7985','[email protected]');

SELECT * FROM customers;

Creating roles:

CREATE ROLE crm_dev_role,crm_write_role,crm_read_role;

NOTE: If you omit the host part, it defaults to ‘%’ which means any host.

Granting privileges to roles:

GRANT ALL ON crm.* TO crm_dev_role;

GRANT SELECT,INSERT,UPDATE,DELETE ON crm.* TO crm_write_role;

GRANT SELECT ON crm.* TO crm_read_role;

Checking Role Privileges:

SHOW GRANTS FOR crm_dev_role;

SHOW GRANTS FOR crm_write_role;

SHOW GRANTS FOR crm_read_role;

Creating users:

CREATE USER crm_dev_user IDENTIFIED BY 'Crm_dev_user@2024';

CREATE USER crm_write_user IDENTIFIED BY 'Crm_write_user@2024';

CREATE USER crm_read_user IDENTIFIED BY 'Crm_read_user@2024';

Assigning roles to user accounts:

GRANT crm_dev_role TO crm_dev_user;

GRANT crm_write_role TO crm_write_user;

GRANT crm_read_role TO crm_read_user;

Checking user Privileges:

SHOW GRANTS FOR crm_dev_user USING crm_dev_role;

SHOW GRANTS FOR crm_write_user USING crm_write_role;

SHOW GRANTS FOR crm_read_user USING crm_read_role;

Activating Roles:

when you granted roles to a user account, it didn’t automatically activate the roles when the user
account connects to the database server.
To specify which roles should be active each time a user account connects to the database
server, you can use the SET DEFAULT ROLE statement.

SET DEFAULT ROLE ALL TO crm_dev_user,crm_write_user,crm_read_user;

Revoking roles from users:

REVOKE crm_dev_role FROM crm_dev_user;

REVOKE crm_write_role FROM crm_write_user;

REVOKE crm_read_role FROM crm_read_user;

Revoking privileges from roles:

REVOKE ALL ON crm.* FROM crm_dev_role;

REVOKE SELECT,INSERT,UPDATE,DELETE ON crm.* FROM crm_write_role;

REVOKE SELECT ON crm.* FROM crm_read_role;

NOTE:

The USAGE means that the USER can log in to the database but has no privilege.
Dropping roles and users:

DROP ROLE crm_dev_role,crm_write_role,crm_read_role;

DROP USER crm_dev_user,crm_write_user,crm_read_user;

Changing the user password:

ALTER USER naveen@localhost IDENTIFIED BY 'Naveen@2025';

Lock the user to prevent anyone from using it to connect to the server:

ALTER USER naveen@localhost ACCOUNT LOCK;

Unlock the user to connect the server:

ALTER USER naveen@localhost ACCOUNT UNLOCK;