14-day MaxScale Trial: Explore the latest version of our advanced database proxy!
Start Trial
Download MariaDBContact Us

System` Users, Roles, and Privileges

Important: The PUBLIC role is created implicitly by GRANT statements and its creation is not logged, distinguishing it from standard system principals.

MariaDB automatically creates several users and roles for administrative and internal server functions.

System Users

These user accounts are created by the mariadb-install-db script during the initial server setup.

root@localhost

Creation

Created automatically by mariadb-install-db.

Purpose

Serves as the primary administrative account for initial server setup and management.

Management

It is highly recommended to secure this account immediately after installation. Standard security practices include setting a strong password, renaming the account, or removing it entirely in favor of other named administrative accounts.

mariadb-sys@localhost

Creation

Created automatically by mariadb-install-db.

Purpose

A mandatory system user required for internal server operations, such as executing scheduled events.

Management

This user account is essential for server functionality and is protected;

it cannot be dropped.

System Roles

These roles are built into the server and have special behaviors.

The PUBLIC Role

The PUBLIC role is a special, built-in concept that represents every user on the server.

Creation

The PUBLIC role is created implicitly by the server the first time a GRANT ... TO PUBLIC statement is executed. It is not created with CREATE ROLE.

Purpose

It provides a convenient way to grant privileges server-wide without having to grant them to each user individually. Privileges granted to PUBLIC are inherited by all existing and future users.

Management & Security:

  • Because the PUBLIC role is created implicitly, its creation is not written to the audit log or binary log as a standard DDL event. This is a critical detail for security auditing.

  • The PUBLIC role cannot be explicitly dropped with DROP ROLE.

  • To audit the privileges that apply to all users, you must check the grants for PUBLIC directly.

Syntax Examples:

-- Grant a privilege to all users
GRANT SELECT ON my_app.reports TO PUBLIC;

-- View privileges granted to PUBLIC
SHOW GRANTS FOR PUBLIC;

-- Revoke a privilege from all users
REVOKE SELECT ON my_app.reports FROM PUBLIC;
PreviousRoles OverviewNextAccount Locking

Last updated

Was this helpful?