| Server IP : 172.67.134.114 / Your IP : 104.23.197.123 Web Server : Apache/2.4.37 System : Linux almalinux.duckdns.org 4.18.0-553.111.1.el8_10.x86_64 #1 SMP Sun Mar 8 20:06:07 EDT 2026 x86_64 User : ricodeal ( 1046) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/share/doc/postgresql-docs/html/ |
Upload File : |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.2. Role Attributes</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="[email protected]" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="database-roles.html" title="21.1. Database Roles" /><link rel="next" href="role-membership.html" title="21.3. Role Membership" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.2. Role Attributes</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="database-roles.html" title="21.1. Database Roles">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><th width="60%" align="center">Chapter 21. Database Roles</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 10.23 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="role-membership.html" title="21.3. Role Membership">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="ROLE-ATTRIBUTES"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.2. Role Attributes</h2></div></div></div><p> A database role can have a number of attributes that define its
privileges and interact with the client authentication system.
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">login privilege<a id="id-1.6.8.6.2.1.1.1.1" class="indexterm"></a></span></dt><dd><p> Only roles that have the <code class="literal">LOGIN</code> attribute can be used
as the initial role name for a database connection. A role with
the <code class="literal">LOGIN</code> attribute can be considered the same
as a <span class="quote">“<span class="quote">database user</span>”</span>. To create a role with login privilege,
use either:
</p><pre class="programlisting">CREATE ROLE <em class="replaceable"><code>name</code></em> LOGIN;
CREATE USER <em class="replaceable"><code>name</code></em>;</pre><p>
(<code class="command">CREATE USER</code> is equivalent to <code class="command">CREATE ROLE</code>
except that <code class="command">CREATE USER</code> assumes <code class="literal">LOGIN</code> by
default, while <code class="command">CREATE ROLE</code> does not.)
</p></dd><dt><span class="term">superuser status<a id="id-1.6.8.6.2.1.2.1.1" class="indexterm"></a></span></dt><dd><p> A database superuser bypasses all permission checks, except the right
to log in. This is a dangerous privilege and should not be used
carelessly; it is best to do most of your work as a role that is not a
superuser. To create a new database superuser, use <code class="literal">CREATE
ROLE <em class="replaceable"><code>name</code></em> SUPERUSER</code>. You must do
this as a role that is already a superuser.
</p></dd><dt><span class="term">database creation<a id="id-1.6.8.6.2.1.3.1.1" class="indexterm"></a></span></dt><dd><p> A role must be explicitly given permission to create databases
(except for superusers, since those bypass all permission
checks). To create such a role, use <code class="literal">CREATE ROLE
<em class="replaceable"><code>name</code></em> CREATEDB</code>.
</p></dd><dt><span class="term">role creation<a id="id-1.6.8.6.2.1.4.1.1" class="indexterm"></a></span></dt><dd><p> A role must be explicitly given permission to create more roles
(except for superusers, since those bypass all permission
checks). To create such a role, use <code class="literal">CREATE ROLE
<em class="replaceable"><code>name</code></em> CREATEROLE</code>.
A role with <code class="literal">CREATEROLE</code> privilege can alter and drop
other roles, too, as well as grant or revoke membership in them.
However, to create, alter, drop, or change membership of a
superuser role, superuser status is required;
<code class="literal">CREATEROLE</code> is insufficient for that.
</p></dd><dt><span class="term">initiating replication<a id="id-1.6.8.6.2.1.5.1.1" class="indexterm"></a></span></dt><dd><p> A role must explicitly be given permission to initiate streaming
replication (except for superusers, since those bypass all permission
checks). A role used for streaming replication must
have <code class="literal">LOGIN</code> permission as well. To create such a role, use
<code class="literal">CREATE ROLE <em class="replaceable"><code>name</code></em> REPLICATION
LOGIN</code>.
</p></dd><dt><span class="term">password<a id="id-1.6.8.6.2.1.6.1.1" class="indexterm"></a></span></dt><dd><p> A password is only significant if the client authentication
method requires the user to supply a password when connecting
to the database. The <code class="option">password</code> and
<code class="option">md5</code> authentication methods
make use of passwords. Database passwords are separate from
operating system passwords. Specify a password upon role
creation with <code class="literal">CREATE ROLE
<em class="replaceable"><code>name</code></em> PASSWORD '<em class="replaceable"><code>string</code></em>'</code>.
</p></dd><dt><span class="term">inheritance of privileges<a id="id-1.6.8.6.2.1.7.1.1" class="indexterm"></a></span></dt><dd><p> A role is given permission to inherit the privileges of roles it is a
member of, by default. However, to create a role without the permission,
use <code class="literal">CREATE ROLE <em class="replaceable"><code>name</code></em> NOINHERIT</code>.
</p></dd><dt><span class="term">bypassing row-level security<a id="id-1.6.8.6.2.1.8.1.1" class="indexterm"></a></span></dt><dd><p> A role must be explicitly given permission to bypass every row-level security (RLS) policy
(except for superusers, since those bypass all permission checks).
To create such a role, use <code class="literal">CREATE ROLE <em class="replaceable"><code>name</code></em> BYPASSRLS</code> as a superuser.
</p></dd><dt><span class="term">connection limit<a id="id-1.6.8.6.2.1.9.1.1" class="indexterm"></a></span></dt><dd><p> Connection limit can specify how many concurrent connections a role can make.
-1 (the default) means no limit. Specify connection limit upon role creation with
<code class="literal">CREATE ROLE <em class="replaceable"><code>name</code></em> CONNECTION LIMIT '<em class="replaceable"><code>integer</code></em>'</code>.
</p></dd></dl></div><p>
A role's attributes can be modified after creation with
<code class="command">ALTER ROLE</code>.<a id="id-1.6.8.6.2.3" class="indexterm"></a>
See the reference pages for the <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a>
and <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a> commands for details.
</p><div class="tip"><h3 class="title">Tip</h3><p> It is good practice to create a role that has the <code class="literal">CREATEDB</code>
and <code class="literal">CREATEROLE</code> privileges, but is not a superuser, and then
use this role for all routine management of databases and roles. This
approach avoids the dangers of operating as a superuser for tasks that
do not really require it.
</p></div><p> A role can also have role-specific defaults for many of the run-time
configuration settings described in <a class="xref" href="runtime-config.html" title="Chapter 19. Server Configuration">Chapter 19</a>. For example, if for some reason you
want to disable index scans (hint: not a good idea) anytime you
connect, you can use:
</p><pre class="programlisting">ALTER ROLE myname SET enable_indexscan TO off;</pre><p>
This will save the setting (but not set it immediately). In
subsequent connections by this role it will appear as though
<code class="literal">SET enable_indexscan TO off</code> had been executed
just before the session started.
You can still alter this setting during the session; it will only
be the default. To remove a role-specific default setting, use
<code class="literal">ALTER ROLE <em class="replaceable"><code>rolename</code></em> RESET <em class="replaceable"><code>varname</code></em></code>.
Note that role-specific defaults attached to roles without
<code class="literal">LOGIN</code> privilege are fairly useless, since they will never
be invoked.
</p></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="database-roles.html" title="21.1. Database Roles">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="role-membership.html" title="21.3. Role Membership">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.1. Database Roles </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 10.23 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.3. Role Membership</td></tr></table></div></body></html>