Use these SQL commands to grant or revoke roles from Cirro user accounts. You can also create roles for Active Directory user accounts.

Before You Start

Cirro Roles

Cirro has several built-in roles which enable permissions to cirro objects and target systems.

Role Description
Public All users belong to the Public Role which enables login. No permission to cirro objects and target systems. Default privileges associated with PUBLIC role are CONNECT, SET DESCRIBE and SELECT (on metadata tables). These can be changed by a system administrator, but it is not recommended. The PUBLIC role cannot be dropped.
secure_connect Execute only Passthrough SQL
federated_read_only Execute Federated Queries
federated_read_write Execute Federated Queries, DDL, and DML
data_migrator Manage and Execute Data Projects
cirro_admin Administrator

Connect to Cirro

  • Connect to Cirro with a sql client.

Create Roles

CREATE ROLE Cirro_rolename


  • Cirro_rolename: The name for the new role. Optionally, enclose in single quotes. Cirro_rolename is a case-sensitive VARCHAR(128).

  • WITH EXTERNAL ‘CN=Active_directory_group,CN=Users,DC=home,DC=network’: These keywords associate Cirro_rolename to an pre-existing Active Directory group. CN and DC values are specific to your Active Directory installation.

For example;

Cirro Role

CREATE ROLE 'myRole1';

Active Directory Role

CREATE ROLE 'engineering' WITH EXTERNAL 'CN=Engineering,CN=Users,DC=engineering,DC=myCompany,DC=com;

Grant Roles

GRANT Cirro_rolename TO user/other_rolename;


  • Cirro_role: the existing role

  • user: the user who is being granted Cirro_role (not applicable for LDAP/Active Directory)

  • other_rolename: an existing role being granted Cirro_role

For example;

GRANT myRole1 TO myUser1;
GRANT AccountingTeam TO HRUsers;

Revoke Roles

REVOKE roleName FROM userOrRoleName


  • roleName: the existing Cirro role that will be removed from userOrRoleName.

  • userOrRoleName: the existing Cirro user or role who is a member of roleName.

For example;

REVOKE myRole1 FROM myUser1;
REVOKE AccountingTeam FROM HRUsers;

See Also