# System Users, Roles, Privileges
{% hint style="warning" %}
The `PUBLIC` role is created implicitly by `GRANT` statements and its creation is not logged, distinguishing it from standard system principals.
{% endhint %}
MariaDB automatically creates several users and roles for administrative and internal server functions.
## System Users
These user accounts are created by the `mariadb-install-db` script during the initial server setup.
### `root@localhost`
| **Creation** | Created automatically by `mariadb-install-db`. |
| -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Purpose** | Serves as the primary administrative account for initial server setup and management. |
| **Management** | It is highly recommended to secure this account immediately after installation. *Standard security practices include setting a strong password, renaming the account, or removing it entirely in favor of other named administrative accounts.* |
### `mariadb-sys@localhost`
| **Creation** | Created automatically by `mariadb-install-db`. |
| -------------- | --------------------------------------------------------------------------------------------------------------------- |
| **Purpose** | A mandatory system user required for internal server operations, such as executing scheduled events. |
| **Management** | This user account is essential for server functionality and is protected;
it cannot be dropped.
|
## System Roles
These roles are built into the server and have special behaviors.
### The `PUBLIC` Role
The `PUBLIC` role is a special, built-in concept that represents every user on the server.
#### **Creation**
The `PUBLIC` role is created implicitly by the server the first time a `GRANT ... TO PUBLIC` statement is executed. It is not created with `CREATE ROLE`.
#### **Purpose**
It provides a convenient way to grant privileges server-wide without having to grant them to each user individually. Privileges granted to `PUBLIC` are inherited by all existing and future users.
#### **Management & Security:**
* Because the `PUBLIC` role is created implicitly, its creation is **not written to the audit log or binary log** as a standard DDL event. This is a critical detail for security auditing.
* The `PUBLIC` role cannot be explicitly dropped with `DROP ROLE`.
* To audit the privileges that apply to all users, you must check the grants for `PUBLIC` directly.
#### **Syntax Examples:**
```sql
-- Grant a privilege to all users
GRANT SELECT ON my_app.reports TO PUBLIC;
-- View privileges granted to PUBLIC
SHOW GRANTS FOR PUBLIC;
-- Revoke a privilege from all users
REVOKE SELECT ON my_app.reports FROM PUBLIC;
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://mariadb.com/docs/server/security/user-account-management/roles/system-users-roles-and-privileges.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.