> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# ALTER ROLE

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

Use the `ALTER ROLE` <InternalLink path="sql-statements">statement</InternalLink> to add, change, or remove a <InternalLink path="create-role">role's</InternalLink> password, change the role options for a role, and set default <InternalLink path="set-vars">session variable</InternalLink> values for a role.

You can use the keywords `ROLE` and `USER` interchangeably. <InternalLink path="alter-user">`ALTER USER`</InternalLink> is an alias for `ALTER ROLE`.

## Considerations

### Password management

Password creation and alteration is supported only in secure clusters.

### Session variable precedence

When a <InternalLink path="show-sessions">session</InternalLink> starts, CockroachDB determines the initial value of each <InternalLink path="session-variables">session variable</InternalLink> by evaluating the settings in the following order (items earlier in the list take precedence over later items):

1. <InternalLink path="connection-parameters">Connection string parameters</InternalLink>: A value supplied as a query parameter in the connection URL (for example, `.../movr?sslmode=disable&timezone=UTC` ).
2. <InternalLink path="alter-role#set-default-session-variable-values-for-a-role-in-a-specific-database">Per-role, per-database defaults</InternalLink>: A value set by `ALTER ROLE {role_name} IN DATABASE {db_name} SET {var}={value}`.
3. <InternalLink path="alter-role#set-default-session-variable-values-for-a-role">Per-role, all-database defaults</InternalLink>: A value set by `ALTER ROLE {role_name} SET {var}={value}`.
4. <InternalLink path="alter-role#set-default-session-variable-values-for-a-specific-database">All-role, per-database defaults</InternalLink>: A value set by `ALTER ROLE ALL IN DATABASE {db_name} SET {var}={value}` or equivalently by `ALTER DATABASE {db_name} SET {var}={value}`.
5. <InternalLink path="alter-role#set-default-session-variable-values-for-all-users">Cluster-wide defaults for all roles and all databases</InternalLink>: A value set by `ALTER ROLE ALL SET {var}={value}`.

If a session variable is not modified using any of the preceding methods, the built-in system default value is used. Note that the <InternalLink path="security-reference/authorization">`root` user</InternalLink> is exempt from settings 3–5. The `root` user is only affected by values specified in the connection string.

You can also set session variables for the duration of a single transaction by using <InternalLink path="set-vars#set-a-variable-for-the-duration-of-a-single-transaction">`SET LOCAL {var}={value}`</InternalLink>.

<Note>
  Changes to defaults using the preceding methods only apply to **future** sessions. This is because session variable resolution happens at session start time. To change a default value in an existing open session, set the variable explicitly with <InternalLink path="set-vars">`SET`</InternalLink>.
</Note>

## Required privileges

* To alter an <InternalLink path="security-reference/authorization#admin-role">`admin` role</InternalLink>, the user must be a member of the `admin` role.
* To alter other roles, the user must be a member of the `admin` role or have the <InternalLink path="create-role#create-a-role-that-can-create-other-roles-and-manage-authentication-methods-for-the-new-roles">`CREATEROLE`</InternalLink> [role option](#role-options).

## Synopsis

<img src="https://mintcdn.com/cockroachlabs/w6H3zc9JqC1vaAQB/images/sql-diagrams/v24.3/alter_role.svg?fit=max&auto=format&n=w6H3zc9JqC1vaAQB&q=85&s=b77b8023f36d16a0bba7bf30e45f9331" alt="alter_role syntax diagram" style={{maxWidth: "100%", overflowX: "auto"}} width="1199" height="657" data-path="images/sql-diagrams/v24.3/alter_role.svg" />

## Parameters

| Parameter                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                           |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------- |
| `role\_name`                  | The name of the role to alter.                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                           |
| `WITH role\_option`           | Apply a [role option](#role-options) to the role.                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                           |
| `SET {session variable}`      | Set default <InternalLink path="set-vars">session variable</InternalLink> values for a role.                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                           |
| <a id="parameters-reset" />   | `RESET {session variable}` `RESET ALL`                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Reset one session variable or all session variables to the default value. |
| `IN DATABASE database\_name`  | Specify a database for which to apply session variable defaults. When `IN DATABASE` is not specified, the default session variable values apply for a role in all databases. In order for a session to initialize session variable values to database defaults, the database must be specified as a <InternalLink path="connection-parameters">connection parameter</InternalLink>. Database default values will not appear if the database is set after connection with `USE `/`SET database=`. |                                                                           |
| `ROLE ALL ...`/`USER ALL ...` | Apply session variable settings to all roles. Exception: The `root` user is exempt from session variable settings. This is a failsafe; if you make a mistake with a session variable setting, you can still log in as `root` and be unaffected.                                                                                                                                                                                                                                                  |                                                                           |

### Role options

| Role option                                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `CANCELQUERY`/`NOCANCELQUERY`                   | **Deprecated in v22.2: Use the `CANCELQUERY`<InternalLink path="security-reference/authorization#supported-privileges">system privilege</InternalLink>.** Allow or disallow a role to cancel <InternalLink path="cancel-query">queries</InternalLink> and <InternalLink path="cancel-session">sessions</InternalLink> of other roles. Without this role option, roles can only cancel their own queries and sessions. Even with the `CANCELQUERY` role option, non-`admin` roles cannot cancel `admin` queries or sessions. This option should usually be combined with `VIEWACTIVITY` so that the role can view other roles' query and session information.  By default, the role option is set to `NOCANCELQUERY` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                               |
| `CONTROLCHANGEFEED`/`NOCONTROLCHANGEFEED`       | **Deprecated in v23.1: Use the `CHANGEFEED`<InternalLink path="security-reference/authorization#supported-privileges">privilege</InternalLink>.** Allow or disallow a role to run <InternalLink path="create-changefeed">`CREATE CHANGEFEED`</InternalLink> on tables they have `SELECT` privileges on.  By default, the role option is set to `NOCONTROLCHANGEFEED` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `CONTROLJOB`/`NOCONTROLJOB`                     | Allow or disallow a role to <InternalLink path="pause-job">pause</InternalLink>, <InternalLink path="resume-job">resume</InternalLink>, and <InternalLink path="cancel-job">cancel</InternalLink> jobs. Non-`admin` roles cannot control jobs created by `admin` roles.  By default, the role option is set to `NOCONTROLJOB` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `CREATEDB`/`NOCREATEDB`                         | Allow or disallow a role to <InternalLink path="create-database">create</InternalLink> or <InternalLink path="alter-database#rename-to">rename</InternalLink> a database. The role is assigned as the owner of the database.  By default, the role option is set to `NOCREATEDB` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| `CREATELOGIN`/`NOCREATELOGIN`                   | Allow or disallow a role to manage authentication using the `WITH PASSWORD`, `VALID UNTIL`, and `LOGIN/NOLOGIN` role options.  By default, the role option is set to `NOCREATELOGIN` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `CREATEROLE`/`NOCREATEROLE`                     | Allow or disallow the new role to <InternalLink path="create-role">create</InternalLink>, alter, and <InternalLink path="drop-role">drop</InternalLink> other non-`admin` roles.  By default, the role option is set to `NOCREATEROLE` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `LOGIN`/`NOLOGIN`                               | Allow or disallow a role to log in with one of the <InternalLink path="authentication#client-authentication">client authentication methods</InternalLink>. Setting the role option to `NOLOGIN` prevents the role from logging in using any authentication method.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| `MODIFYCLUSTERSETTING`/`NOMODIFYCLUSTERSETTING` | Allow or disallow a role to modify the <InternalLink path="cluster-settings">cluster settings</InternalLink> with the `sql.defaults` prefix.  By default, the role option is set to `NOMODIFYCLUSTERSETTING` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| `PASSWORD password`/`PASSWORD NULL`             | The credential the role uses to <InternalLink path="authentication#client-authentication">authenticate their access to a secure cluster</InternalLink>. A password should be entered as a <InternalLink path="sql-constants#string-literals">string literal</InternalLink>. For compatibility with PostgreSQL, a password can also be entered as an identifier.  To prevent a role from using <InternalLink path="authentication#client-authentication">password authentication</InternalLink> and to mandate <InternalLink path="authentication#client-authentication">certificate-based client authentication</InternalLink>, <InternalLink path="create-role#prevent-a-role-from-using-password-authentication">set the password as `NULL`</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                |
| `SQLLOGIN`/`NOSQLLOGIN`                         | **Deprecated in v22.2: Use the `NOSQLLOGIN`<InternalLink path="security-reference/authorization#supported-privileges">system privilege</InternalLink>.** Allow or disallow a role to log in using the SQL CLI with one of the <InternalLink path="authentication#client-authentication">client authentication methods</InternalLink>. The role option to `NOSQLLOGIN` prevents the role from logging in using the SQL CLI with any authentication method while retaining the ability to log in to DB Console. It is possible to have both `NOSQLLOGIN` and `LOGIN` set for a role and `NOSQLLOGIN` takes precedence on restrictions.  Without any role options all login behavior is permitted.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `VALID UNTIL`                                   | The date and time (in the <InternalLink path="timestamp">`timestamp`</InternalLink> format) after which the [password](#parameters) is not valid.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `VIEWACTIVITY`/`NOVIEWACTIVITY`                 | **Deprecated in v22.2: Use the `VIEWACTIVITY`<InternalLink path="security-reference/authorization#supported-privileges">system privilege</InternalLink>.** Allow or disallow a role to see other roles' <InternalLink path="show-statements">queries</InternalLink> and <InternalLink path="show-sessions">sessions</InternalLink> using `SHOW STATEMENTS`, `SHOW SESSIONS`, and the <InternalLink path="ui-statements-page">**Statements**</InternalLink> and <InternalLink path="ui-transactions-page">**Transactions**</InternalLink> pages in the DB Console. `VIEWACTIVITY` also permits visibility of node hostnames and IP addresses in the DB Console. With `NOVIEWACTIVITY`, the `SHOW` commands show only the role's own data, and DB Console pages redact node hostnames and IP addresses.  By default, the role option is set to `NOVIEWACTIVITY` for all non-`admin` roles.                                                                                                                                                                                                                                                                     |
| `VIEWCLUSTERSETTING` / `NOVIEWCLUSTERSETTING`   | **Deprecated in v22.2: Use the `VIEWCLUSTERSETTING`<InternalLink path="security-reference/authorization#supported-privileges">system privilege</InternalLink>.** Allow or disallow a role to view the <InternalLink path="cluster-settings">cluster settings</InternalLink> with `SHOW CLUSTER SETTING` or to access the <InternalLink path="ui-debug-pages">**Cluster Settings**</InternalLink> page in the DB Console.  By default, the role option is set to `NOVIEWCLUSTERSETTING` for all non-`admin` roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `VIEWACTIVITYREDACTED`/`NOVIEWACTIVITYREDACTED` | **Deprecated in v22.2: Use the `VIEWACTIVITYREDACTED`<InternalLink path="security-reference/authorization#supported-privileges">system privilege</InternalLink>.** Allow or disallow a role to see other roles' queries and sessions using `SHOW STATEMENTS`, `SHOW SESSIONS`, and the Statements and Transactions pages in the DB Console. With `VIEWACTIVITYREDACTED`, a user will not have access to the usage of statements diagnostics bundle (which can contain PII information) in the DB Console, and will not be able to list queries containing <InternalLink path="sql-constants">constants</InternalLink> for other users when using the `listSessions` endpoint through the <InternalLink path="cluster-api">Cluster API</InternalLink>. It is possible to have both `VIEWACTIVITY` and `VIEWACTIVITYREDACTED`, and `VIEWACTIVITYREDACTED` takes precedence on restrictions. If the user has `VIEWACTIVITY` but doesn't have `VIEWACTIVITYREDACTED`, they will be able to see DB Console pages and have access to the statements diagnostics bundle.  By default, the role option is set to `NOVIEWACTIVITYREDACTED` for all non-`admin` roles. |

## Examples

<Note>
  The following statements are run by the `root` user that is a member of the `admin` role and has `ALL` privileges.
</Note>

### Allow a role to log in to the database using a password

The following example allows a role to log in to the database with a <InternalLink path="authentication#client-authentication">password</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH LOGIN PASSWORD 'An0ther$tr0nGpassW0rD' VALID UNTIL '2021-10-10';
```

### Prevent a role from using password authentication

The following statement prevents the user from using password authentication and mandates certificate-based <InternalLink path="authentication#client-authentication">client authentication</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH PASSWORD NULL;
```

### Allow a role to create other roles and manage authentication methods for the new roles

The following example allows the role to <InternalLink path="create-role">create other roles</InternalLink> and <InternalLink path="authentication#client-authentication">manage authentication methods</InternalLink> for them:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH CREATEROLE CREATELOGIN;
```

### Allow a role to create and rename databases

The following example allows the role to <InternalLink path="create-database">create</InternalLink> or <InternalLink path="alter-database#rename-to">rename</InternalLink> databases:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH CREATEDB;
```

### Allow a role to pause, resume, and cancel non-admin jobs

The following example allows the role to <InternalLink path="pause-job">pause</InternalLink>, <InternalLink path="resume-job">resume</InternalLink>, and <InternalLink path="cancel-job">cancel</InternalLink> jobs:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH CONTROLJOB;
```

### Allow a role to see and cancel non-admin queries and sessions

The following example allows the role to cancel <InternalLink path="cancel-query">queries</InternalLink> and <InternalLink path="cancel-session">sessions</InternalLink> for other non-`admin` roles:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH CANCELQUERY VIEWACTIVITY;
```

### Allow a role to control changefeeds

The following example allows the role to run <InternalLink path="create-changefeed">`CREATE CHANGEFEED`</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH CONTROLCHANGEFEED;
```

### Allow a role to modify cluster settings

The following example allows the role to modify <InternalLink path="cluster-settings">cluster settings</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE carl WITH MODIFYCLUSTERSETTING;
```

### Set default session variable values for a role

In the following example, the `root` user creates a role named `max`, and sets the default value of the `timezone` <InternalLink path="set-vars#supported-variables">session variable</InternalLink> for the `max` role.

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> CREATE ROLE max WITH LOGIN;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE max SET timezone = 'America/New_York';
```

This statement does not affect the default `timezone` value for any role other than `max`:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> SHOW timezone;
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
  timezone
------------
  UTC
(1 row)
```

To see the default `timezone` value for the `max` role, run the `SHOW` statement as a member of the `max` role:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
max@:26257/defaultdb> SHOW timezone;
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
      timezone
--------------------
  America/New_York
(1 row)
```

For a list of the session variables that have been updated from default values, see <InternalLink path="show-default-session-variables-for-role">`SHOW DEFAULT SESSION VARIABLES FOR ROLE`</InternalLink>.

### Set default session variable values for a role in a specific database

In the following example, the `root` user creates a role named `max` and a database named `movr`, and sets the default value of the `statement_timeout` <InternalLink path="set-vars#supported-variables">session variable</InternalLink> for the `max` role in the `movr` database.

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> CREATE DATABASE movr;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> CREATE ROLE max WITH LOGIN;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE max IN DATABASE movr SET statement_timeout = '10s';
```

This statement does not affect the default `statement_timeout` value for any role other than `max`, or in any database other than `movr`.

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> SHOW statement_timeout;
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
  statement_timeout
---------------------
  0
(1 row)
```

To see the new default `statement_timeout` value for the `max` role, run the `SHOW` statement as a member of the `max` role that has connected to the cluster, with the database `movr` specified in the connection string.

```shell theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
cockroach sql --url 'postgresql://max@localhost:26257/movr?sslmode=disable'
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
max@:26257/movr> SHOW statement_timeout;
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
  statement_timeout
---------------------
  10000
(1 row)
```

For a list of the session variables that have been updated from default values, see <InternalLink path="show-default-session-variables-for-role">`SHOW DEFAULT SESSION VARIABLES FOR ROLE`</InternalLink>.

### Set default session variable values for a specific database

In the following example, the `root` user creates a database named `movr`, and sets the default value of the `timezone` <InternalLink path="set-vars#supported-variables">session variable</InternalLink> for all roles in that database.

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> CREATE DATABASE movr;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> ALTER ROLE ALL IN DATABASE movr SET timezone = 'America/New_York';
```

<Note>
  This statement is identical to <InternalLink path="alter-database">`ALTER DATABASE movr SET timezone = 'America/New_York';`</InternalLink>.
</Note>

This statement does not affect the default `timezone` value for any database other than `movr`:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/defaultdb> SHOW timezone;
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
  timezone
------------
  UTC
(1 row)
```

To see the default `timezone` value for the `max` role, run the `SHOW` statement as a member of the `max` role:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
root@:26257/movr> SHOW timezone;
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
      timezone
--------------------
  America/New_York
(1 row)
```

For a list of the session variables that have been updated from default values, see <InternalLink path="show-default-session-variables-for-role">`SHOW DEFAULT SESSION VARIABLES FOR ROLE`</InternalLink>.

### Set default session variable values for all users

To set a default value for all users for any <InternalLink path="set-vars">session variable</InternalLink> that applies during login, issue a statement like the following:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
ALTER ROLE ALL SET sql.spatial.experimental_box2d_comparison_operators.enabled = "on";
```

```text theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
ALTER ROLE
```

The `root` user is exempt from session variable settings changes. This is a failsafe; if you make a mistake with a session variable setting, you can still log in as `root` and be unaffected.

<Note>
  Use <InternalLink path="alter-role#set-default-session-variable-values-for-all-users">`ALTER ROLE ALL SET {sessionvar} = {val}`</InternalLink> instead of the `sql.defaults.*` <InternalLink path="cluster-settings">cluster settings</InternalLink>. This allows you to set a default value for all users for any <InternalLink path="set-vars">session variable</InternalLink> that applies during login, making the `sql.defaults.*` cluster settings redundant.
</Note>

For a list of the session variables that have been updated from default values, see <InternalLink path="show-default-session-variables-for-role">`SHOW DEFAULT SESSION VARIABLES FOR ROLE`</InternalLink>.

### Set the `SUBJECT` role option for certificate based authentication

You can associate an [X.509](https://en.wikipedia.org/wiki/X.509) certificate's Subject with a <InternalLink path="security-reference/authorization#roles">role</InternalLink> as shown below. Note that the Subject fields in the certificate have to be an exact match with what you pass in via the SQL statement. By exact match, we mean that the order of attributes passed in via the SQL statement must match the order of attributes in the certificate.

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
ALTER ROLE maxroach WITH SUBJECT 'CN=myName2,OU=myOrgUnit2,O=myOrg2,L=myLocality2,ST=myState2,C=myCountry2' LOGIN;
```

If you manage your own Certificate Authority (CA) infrastructure, CockroachDB supports mapping between the Subject field of your [X.509 certificates](https://en.wikipedia.org/wiki/X.509) and SQL <InternalLink path="security-reference/authorization#roles">roles</InternalLink>. For more information, see <InternalLink path="certificate-based-authentication-using-the-x509-subject-field">Certificate-based authentication using multiple values from the X.509 Subject field</InternalLink>.

## See also

* <InternalLink path="drop-role">`DROP ROLE`</InternalLink>
* <InternalLink path="show-roles">`SHOW ROLES`</InternalLink>
* <InternalLink path="grant">`GRANT`</InternalLink>
* <InternalLink path="show-grants">`SHOW GRANTS`</InternalLink>
* <InternalLink path="cockroach-cert">`cockroach cert`</InternalLink>
* <InternalLink path="sql-statements">SQL Statements</InternalLink>
* <InternalLink path="security-reference/authorization#authorization-best-practices">Authorization Best Practices</InternalLink>
* <InternalLink path="show-default-session-variables-for-role">`SHOW DEFAULT SESSION VARIABLES FOR ROLE`</InternalLink>
