# 创建角色
mysql> CREATE ROLE ‘app_developer’, ‘app_reader’, ‘db_admin’;
Query OK, 0 rows affected (0.01 sec)

# 删除角色
mysql> DROP ROLE ‘app_reader’;
Query OK, 0 rows affected (0.01 sec)

# 创建基本角色
mysql> CREATE ROLE ‘web_app_user’, ‘web_app_admin’, ‘report_viewer’, ‘dba_role’;
Query OK, 0 rows affected (0.01 sec)

# 查看创建的角色
mysql> SELECT user, host, account_locked FROM mysql.user WHERE user LIKE ‘%role%’ OR user LIKE ‘%viewer%’ OR user LIKE ‘%admin%’;
+—————+——+—————-+
| user | host | account_locked |
+—————+——+—————-+
| dba_role | % | Y |
| report_viewer | % | Y |
| web_app_admin | % | Y |
| web_app_user | % | Y |
+—————+——+—————-+
4 rows in set (0.00 sec)

# 为web_app_user角色授予基本权限
mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON webshop.* TO ‘web_app_user’;
Query OK, 0 rows affected (0.01 sec)

# 为web_app_admin角色授予管理权限
mysql> GRANT ALL PRIVILEGES ON webshop.* TO ‘web_app_admin’;
Query OK, 0 rows affected (0.01 sec)

# 为report_viewer角色授予只读权限
mysql> GRANT SELECT ON webshop.orders TO ‘report_viewer’;
mysql> GRANT SELECT ON webshop.customers TO ‘report_viewer’;
mysql> GRANT SELECT ON webshop.products TO ‘report_viewer’;
Query OK, 0 rows affected (0.01 sec)

# 为dba_role角色授予DBA权限
mysql> GRANT ALL PRIVILEGES ON *.* TO ‘dba_role’ WITH GRANT OPTION;
Query OK, 0 rows affected (0.01 sec)

# 刷新权限
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

# 创建用户
mysql> CREATE USER ‘dev_john’@’%’ IDENTIFIED WITH caching_sha2_password BY ‘John@2026’;
mysql> CREATE USER ‘dev_mary’@’%’ IDENTIFIED WITH caching_sha2_password BY ‘Mary@2026’;
mysql> CREATE USER ‘analyst_tom’@’%’ IDENTIFIED WITH caching_sha2_password BY ‘Tom@2026’;
mysql> CREATE USER ‘dba_smith’@’192.168.1.100’ IDENTIFIED WITH caching_sha2_password BY ‘Smith@2026’;
Query OK, 0 rows affected (0.01 sec)

# 将角色授予用户
mysql> GRANT ‘web_app_user’ TO ‘dev_john’@’%’, ‘dev_mary’@’%’;
mysql> GRANT ‘report_viewer’ TO ‘analyst_tom’@’%’;
mysql> GRANT ‘dba_role’ TO ‘dba_smith’@’192.168.1.100’;
Query OK, 0 rows affected (0.01 sec)

# 为用户设置默认角色
mysql> SET DEFAULT ROLE ‘web_app_user’ TO ‘dev_john’@’%’, ‘dev_mary’@’%’;
mysql> SET DEFAULT ROLE ‘report_viewer’ TO ‘analyst_tom’@’%’;
mysql> SET DEFAULT ROLE ‘dba_role’ TO ‘dba_smith’@’192.168.1.100’;
Query OK, 0 rows affected (0.01 sec)

# 查看用户的默认角色
mysql> SELECT user, host, default_role FROM mysql.default_roles;
+————+—————+—————+
| user | host | default_role |
+————+—————+—————+
| analyst_tom| % | `report_viewer`@`%` |
| dba_smith | 192.168.1.100 | `dba_role`@`%` |
| dev_john | % | `web_app_user`@`%` |
| dev_mary | % | `web_app_user`@`%` |
+————+—————+—————+
4 rows in set (0.00 sec)

# 以dev_john用户登录
$ mysql -udev_john -p’John@2026′ -h192.168.1.10

# 查看当前激活的角色
mysql> SELECT CURRENT_ROLE();
+——————+
| CURRENT_ROLE() |
+——————+
| `web_app_user`@`%` |
+——————+
1 row in set (0.00 sec)

# 查看用户拥有的所有角色
mysql> SELECT GRANTEE, ROLE_NAME FROM mysql.role_edges WHERE GRANTEE = ‘dev_john’@’%’;
+—————-+—————+
| GRANTEE | ROLE_NAME |
+—————-+—————+
| dev_john@% | web_app_user@% |
+—————-+—————+
1 row in set (0.00 sec)

# 激活所有角色
mysql> SET ROLE ALL;
Query OK, 0 rows affected (0.00 sec)

# 停用所有角色
mysql> SET ROLE NONE;
Query OK, 0 rows affected (0.00 sec)

# 激活特定角色
mysql> SET ROLE ‘web_app_user’;
Query OK, 0 rows affected (0.00 sec)

# 创建基础角色
mysql> CREATE ROLE ‘basic_user’;
mysql> GRANT SELECT ON *.* TO ‘basic_user’;

# 创建高级角色，包含基础角色
mysql> CREATE ROLE ‘advanced_user’;
mysql> GRANT ‘basic_user’, INSERT, UPDATE ON *.* TO ‘advanced_user’;

# 将高级角色授予用户
mysql> CREATE USER ‘test_user’@’%’ IDENTIFIED BY ‘Test@2026’;
mysql> GRANT ‘advanced_user’ TO ‘test_user’@’%’;
mysql> SET DEFAULT ROLE ‘advanced_user’ TO ‘test_user’@’%’;
Query OK, 0 rows affected (0.01 sec)

# 测试用户权限
$ mysql -utest_user -p’Test@2026′ -h192.168.1.10

mysql> SELECT CURRENT_ROLE();
+——————-+
| CURRENT_ROLE() |
+——————-+
| `advanced_user`@`%` |
+——————-+
1 row in set (0.00 sec)

mysql> SELECT COUNT(*) FROM mysql.user;
+———-+
| COUNT(*) |
+———-+
| 8 |
+———-+
1 row in set (0.00 sec)

mysql> INSERT INTO webshop.test_table (name) VALUES (‘test’);
Query OK, 1 row affected (0.01 sec)

# 修改角色权限
mysql> REVOKE DELETE ON webshop.* FROM ‘web_app_user’;
mysql> GRANT CREATE TEMPORARY TABLES ON webshop.* TO ‘web_app_user’;
Query OK, 0 rows affected (0.01 sec)

# 验证权限变更
$ mysql -udev_john -p’John@2026′ -h192.168.1.10 -Dwebshop

mysql> SHOW GRANTS FOR CURRENT_USER();
+——————————————————————————————————————+
| Grants for dev_john@% |
+——————————————————————————————————————+
| GRANT USAGE ON *.* TO `dev_john`@`%` |
| GRANT `web_app_user`@`%` TO `dev_john`@`%` |
| GRANT SELECT, INSERT, UPDATE, CREATE TEMPORARY TABLES ON `webshop`.* TO `dev_john`@`%` |
+——————————————————————————————————————+
3 rows in set (0.00 sec)

mysql> DELETE FROM customers WHERE customer_id = 1;
ERROR 1143 (42000): DELETE command denied to user ‘dev_john’@’192.168.1.50’ for table ‘customers’

# 从用户撤销角色
mysql> REVOKE ‘web_app_user’ FROM ‘dev_mary’@’%’;
Query OK, 0 rows affected (0.01 sec)

# 验证角色已撤销
mysql> SELECT GRANTEE, ROLE_NAME FROM mysql.role_edges WHERE GRANTEE = ‘dev_mary’@’%’;
Empty set (0.00 sec)

# 1. 创建角色
mysql> CREATE ROLE ‘webshop_customer’, ‘webshop_seller’, ‘webshop_admin’, ‘webshop_superadmin’;

# 2. 为角色授予权限
mysql> GRANT SELECT ON webshop.products, webshop.categories TO ‘webshop_customer’;
mysql> GRANT INSERT, UPDATE ON webshop.orders, webshop.order_items TO ‘webshop_customer’;

mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON webshop.products, webshop.inventory TO ‘webshop_seller’;
mysql> GRANT SELECT ON webshop.orders TO ‘webshop_seller’;

mysql> GRANT ALL PRIVILEGES ON webshop.* TO ‘webshop_admin’;
mysql> GRANT CREATE, DROP, ALTER ON webshop.* TO ‘webshop_admin’;

mysql> GRANT ALL PRIVILEGES ON *.* TO ‘webshop_superadmin’ WITH GRANT OPTION;

# 3. 创建用户并分配角色
mysql> CREATE USER ‘customer_123’@’%’ IDENTIFIED BY ‘Customer@123’;
mysql> GRANT ‘webshop_customer’ TO ‘customer_123’@’%’;
mysql> SET DEFAULT ROLE ‘webshop_customer’ TO ‘customer_123’@’%’;

mysql> CREATE USER ‘seller_456’@’%’ IDENTIFIED BY ‘Seller@456’;
mysql> GRANT ‘webshop_seller’ TO ‘seller_456’@’%’;
mysql> SET DEFAULT ROLE ‘webshop_seller’ TO ‘seller_456’@’%’;

mysql> CREATE USER ‘admin_789’@’%’ IDENTIFIED BY ‘Admin@789’;
mysql> GRANT ‘webshop_admin’ TO ‘admin_789’@’%’;
mysql> SET DEFAULT ROLE ‘webshop_admin’ TO ‘admin_789’@’%’;

mysql> CREATE USER ‘superadmin_001’@’192.168.1.100’ IDENTIFIED BY ‘SuperAdmin@001’;
mysql> GRANT ‘webshop_superadmin’ TO ‘superadmin_001’@’192.168.1.100’;
mysql> SET DEFAULT ROLE ‘webshop_superadmin’ TO ‘superadmin_001’@’192.168.1.100’;

# 1. 创建基础角色
mysql> CREATE ROLE ’employee’, ‘manager’, ‘director’, ‘executive’;

# 2. 为基础角色授予权限
mysql> GRANT SELECT ON company.announcements, company.holidays TO ’employee’;
mysql> GRANT INSERT, UPDATE ON company.timesheets TO ’employee’;

mysql> GRANT ’employee’, SELECT ON company.team_performance TO ‘manager’;
mysql> GRANT INSERT, UPDATE ON company.employee_reviews TO ‘manager’;

mysql> GRANT ‘manager’, SELECT ON company.department_performance TO ‘director’;
mysql> GRANT INSERT, UPDATE ON company.budgets TO ‘director’;

mysql> GRANT ‘director’, ALL PRIVILEGES ON company.* TO ‘executive’ WITH GRANT OPTION;

# 3. 创建部门特定角色
mysql> CREATE ROLE ‘hr_employee’, ‘hr_manager’, ‘it_employee’, ‘it_manager’;

# 4. 为部门角色授予权限
mysql> GRANT ’employee’, SELECT, INSERT, UPDATE ON company.employees TO ‘hr_employee’;
mysql> GRANT ‘manager’, SELECT, INSERT, UPDATE, DELETE ON company.employees TO ‘hr_manager’;

mysql> GRANT ’employee’, SELECT, INSERT, UPDATE ON company.it_assets TO ‘it_employee’;
mysql> GRANT ‘manager’, SELECT, INSERT, UPDATE, DELETE ON company.it_assets TO ‘it_manager’;

# 5. 创建用户并分配角色
mysql> CREATE USER ‘john_doe’@’%’ IDENTIFIED BY ‘John@Doe’;
mysql> GRANT ‘hr_employee’ TO ‘john_doe’@’%’;
mysql> SET DEFAULT ROLE ‘hr_employee’ TO ‘john_doe’@’%’;

mysql> CREATE USER ‘jane_smith’@’%’ IDENTIFIED BY ‘Jane@Smith’;
mysql> GRANT ‘hr_manager’ TO ‘jane_smith’@’%’;
mysql> SET DEFAULT ROLE ‘hr_manager’ TO ‘jane_smith’@’%’;