summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/man7/CREATE_ROLE.7
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/man7/CREATE_ROLE.7')
-rw-r--r--doc/src/sgml/man7/CREATE_ROLE.7429
1 files changed, 429 insertions, 0 deletions
diff --git a/doc/src/sgml/man7/CREATE_ROLE.7 b/doc/src/sgml/man7/CREATE_ROLE.7
new file mode 100644
index 0000000..7677c2d
--- /dev/null
+++ b/doc/src/sgml/man7/CREATE_ROLE.7
@@ -0,0 +1,429 @@
+'\" t
+.\" Title: CREATE ROLE
+.\" Author: The PostgreSQL Global Development Group
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 2021
+.\" Manual: PostgreSQL 13.4 Documentation
+.\" Source: PostgreSQL 13.4
+.\" Language: English
+.\"
+.TH "CREATE ROLE" "7" "2021" "PostgreSQL 13.4" "PostgreSQL 13.4 Documentation"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+CREATE_ROLE \- define a new database role
+.SH "SYNOPSIS"
+.sp
+.nf
+CREATE ROLE \fIname\fR [ [ WITH ] \fIoption\fR [ \&.\&.\&. ] ]
+
+where \fIoption\fR can be:
+
+ SUPERUSER | NOSUPERUSER
+ | CREATEDB | NOCREATEDB
+ | CREATEROLE | NOCREATEROLE
+ | INHERIT | NOINHERIT
+ | LOGIN | NOLOGIN
+ | REPLICATION | NOREPLICATION
+ | BYPASSRLS | NOBYPASSRLS
+ | CONNECTION LIMIT \fIconnlimit\fR
+ | [ ENCRYPTED ] PASSWORD \*(Aq\fIpassword\fR\*(Aq | PASSWORD NULL
+ | VALID UNTIL \*(Aq\fItimestamp\fR\*(Aq
+ | IN ROLE \fIrole_name\fR [, \&.\&.\&.]
+ | IN GROUP \fIrole_name\fR [, \&.\&.\&.]
+ | ROLE \fIrole_name\fR [, \&.\&.\&.]
+ | ADMIN \fIrole_name\fR [, \&.\&.\&.]
+ | USER \fIrole_name\fR [, \&.\&.\&.]
+ | SYSID \fIuid\fR
+.fi
+.SH "DESCRIPTION"
+.PP
+\fBCREATE ROLE\fR
+adds a new role to a
+PostgreSQL
+database cluster\&. A role is an entity that can own database objects and have database privileges; a role can be considered a
+\(lquser\(rq, a
+\(lqgroup\(rq, or both depending on how it is used\&. Refer to
+Chapter\ \&21
+and
+Chapter\ \&20
+for information about managing users and authentication\&. You must have
+CREATEROLE
+privilege or be a database superuser to use this command\&.
+.PP
+Note that roles are defined at the database cluster level, and so are valid in all databases in the cluster\&.
+.SH "PARAMETERS"
+.PP
+\fIname\fR
+.RS 4
+The name of the new role\&.
+.RE
+.PP
+SUPERUSER
+.br
+NOSUPERUSER
+.RS 4
+These clauses determine whether the new role is a
+\(lqsuperuser\(rq, who can override all access restrictions within the database\&. Superuser status is dangerous and should be used only when really needed\&. You must yourself be a superuser to create a new superuser\&. If not specified,
+NOSUPERUSER
+is the default\&.
+.RE
+.PP
+CREATEDB
+.br
+NOCREATEDB
+.RS 4
+These clauses define a role\*(Aqs ability to create databases\&. If
+CREATEDB
+is specified, the role being defined will be allowed to create new databases\&. Specifying
+NOCREATEDB
+will deny a role the ability to create databases\&. If not specified,
+NOCREATEDB
+is the default\&.
+.RE
+.PP
+CREATEROLE
+.br
+NOCREATEROLE
+.RS 4
+These clauses determine whether a role will be permitted to create new roles (that is, execute
+\fBCREATE ROLE\fR)\&. A role with
+CREATEROLE
+privilege can also alter and drop other roles\&. If not specified,
+NOCREATEROLE
+is the default\&.
+.RE
+.PP
+INHERIT
+.br
+NOINHERIT
+.RS 4
+These clauses determine whether a role
+\(lqinherits\(rq
+the privileges of roles it is a member of\&. A role with the
+INHERIT
+attribute can automatically use whatever database privileges have been granted to all roles it is directly or indirectly a member of\&. Without
+INHERIT, membership in another role only grants the ability to
+\fBSET ROLE\fR
+to that other role; the privileges of the other role are only available after having done so\&. If not specified,
+INHERIT
+is the default\&.
+.RE
+.PP
+LOGIN
+.br
+NOLOGIN
+.RS 4
+These clauses determine whether a role is allowed to log in; that is, whether the role can be given as the initial session authorization name during client connection\&. A role having the
+LOGIN
+attribute can be thought of as a user\&. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word\&. If not specified,
+NOLOGIN
+is the default, except when
+\fBCREATE ROLE\fR
+is invoked through its alternative spelling
+CREATE USER (\fBCREATE_USER\fR(7))\&.
+.RE
+.PP
+REPLICATION
+.br
+NOREPLICATION
+.RS 4
+These clauses determine whether a role is a replication role\&. A role must have this attribute (or be a superuser) in order to be able to connect to the server in replication mode (physical or logical replication) and in order to be able to create or drop replication slots\&. A role having the
+REPLICATION
+attribute is a very highly privileged role, and should only be used on roles actually used for replication\&. If not specified,
+NOREPLICATION
+is the default\&. You must be a superuser to create a new role having the
+REPLICATION
+attribute\&.
+.RE
+.PP
+BYPASSRLS
+.br
+NOBYPASSRLS
+.RS 4
+These clauses determine whether a role bypasses every row\-level security (RLS) policy\&.
+NOBYPASSRLS
+is the default\&. You must be a superuser to create a new role having the
+BYPASSRLS
+attribute\&.
+.sp
+Note that pg_dump will set
+row_security
+to
+OFF
+by default, to ensure all contents of a table are dumped out\&. If the user running pg_dump does not have appropriate permissions, an error will be returned\&. However, superusers and the owner of the table being dumped always bypass RLS\&.
+.RE
+.PP
+CONNECTION LIMIT \fIconnlimit\fR
+.RS 4
+If role can log in, this specifies how many concurrent connections the role can make\&. \-1 (the default) means no limit\&. Note that only normal connections are counted towards this limit\&. Neither prepared transactions nor background worker connections are counted towards this limit\&.
+.RE
+.PP
+[ ENCRYPTED ] PASSWORD \*(Aq\fIpassword\fR\*(Aq
+.br
+PASSWORD NULL
+.RS 4
+Sets the role\*(Aqs password\&. (A password is only of use for roles having the
+LOGIN
+attribute, but you can nonetheless define one for roles without it\&.) If you do not plan to use password authentication you can omit this option\&. If no password is specified, the password will be set to null and password authentication will always fail for that user\&. A null password can optionally be written explicitly as
+PASSWORD NULL\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+Specifying an empty string will also set the password to null, but that was not the case before
+PostgreSQL
+version 10\&. In earlier versions, an empty string could be used, or not, depending on the authentication method and the exact version, and libpq would refuse to use it in any case\&. To avoid the ambiguity, specifying an empty string should be avoided\&.
+.sp .5v
+.RE
+The password is always stored encrypted in the system catalogs\&. The
+ENCRYPTED
+keyword has no effect, but is accepted for backwards compatibility\&. The method of encryption is determined by the configuration parameter
+password_encryption\&. If the presented password string is already in MD5\-encrypted or SCRAM\-encrypted format, then it is stored as\-is regardless of
+\fIpassword_encryption\fR
+(since the system cannot decrypt the specified encrypted password string, to encrypt it in a different format)\&. This allows reloading of encrypted passwords during dump/restore\&.
+.RE
+.PP
+VALID UNTIL \*(Aq\fItimestamp\fR\*(Aq
+.RS 4
+The
+VALID UNTIL
+clause sets a date and time after which the role\*(Aqs password is no longer valid\&. If this clause is omitted the password will be valid for all time\&.
+.RE
+.PP
+IN ROLE \fIrole_name\fR
+.RS 4
+The
+IN ROLE
+clause lists one or more existing roles to which the new role will be immediately added as a new member\&. (Note that there is no option to add the new role as an administrator; use a separate
+\fBGRANT\fR
+command to do that\&.)
+.RE
+.PP
+IN GROUP \fIrole_name\fR
+.RS 4
+IN GROUP
+is an obsolete spelling of
+IN ROLE\&.
+.RE
+.PP
+ROLE \fIrole_name\fR
+.RS 4
+The
+ROLE
+clause lists one or more existing roles which are automatically added as members of the new role\&. (This in effect makes the new role a
+\(lqgroup\(rq\&.)
+.RE
+.PP
+ADMIN \fIrole_name\fR
+.RS 4
+The
+ADMIN
+clause is like
+ROLE, but the named roles are added to the new role
+WITH ADMIN OPTION, giving them the right to grant membership in this role to others\&.
+.RE
+.PP
+USER \fIrole_name\fR
+.RS 4
+The
+USER
+clause is an obsolete spelling of the
+ROLE
+clause\&.
+.RE
+.PP
+SYSID \fIuid\fR
+.RS 4
+The
+SYSID
+clause is ignored, but is accepted for backwards compatibility\&.
+.RE
+.SH "NOTES"
+.PP
+Use
+ALTER ROLE (\fBALTER_ROLE\fR(7))
+to change the attributes of a role, and
+DROP ROLE (\fBDROP_ROLE\fR(7))
+to remove a role\&. All the attributes specified by
+\fBCREATE ROLE\fR
+can be modified by later
+\fBALTER ROLE\fR
+commands\&.
+.PP
+The preferred way to add and remove members of roles that are being used as groups is to use
+\fBGRANT\fR(7)
+and
+\fBREVOKE\fR(7)\&.
+.PP
+The
+VALID UNTIL
+clause defines an expiration time for a password only, not for the role
+per se\&. In particular, the expiration time is not enforced when logging in using a non\-password\-based authentication method\&.
+.PP
+The
+INHERIT
+attribute governs inheritance of grantable privileges (that is, access privileges for database objects and role memberships)\&. It does not apply to the special role attributes set by
+\fBCREATE ROLE\fR
+and
+\fBALTER ROLE\fR\&. For example, being a member of a role with
+CREATEDB
+privilege does not immediately grant the ability to create databases, even if
+INHERIT
+is set; it would be necessary to become that role via
+SET ROLE (\fBSET_ROLE\fR(7))
+before creating a database\&.
+.PP
+The
+INHERIT
+attribute is the default for reasons of backwards compatibility: in prior releases of
+PostgreSQL, users always had access to all privileges of groups they were members of\&. However,
+NOINHERIT
+provides a closer match to the semantics specified in the SQL standard\&.
+.PP
+Be careful with the
+CREATEROLE
+privilege\&. There is no concept of inheritance for the privileges of a
+CREATEROLE\-role\&. That means that even if a role does not have a certain privilege but is allowed to create other roles, it can easily create another role with different privileges than its own (except for creating roles with superuser privileges)\&. For example, if the role
+\(lquser\(rq
+has the
+CREATEROLE
+privilege but not the
+CREATEDB
+privilege, nonetheless it can create a new role with the
+CREATEDB
+privilege\&. Therefore, regard roles that have the
+CREATEROLE
+privilege as almost\-superuser\-roles\&.
+.PP
+PostgreSQL
+includes a program
+\fBcreateuser\fR(1)
+that has the same functionality as
+\fBCREATE ROLE\fR
+(in fact, it calls this command) but can be run from the command shell\&.
+.PP
+The
+CONNECTION LIMIT
+option is only enforced approximately; if two new sessions start at about the same time when just one connection
+\(lqslot\(rq
+remains for the role, it is possible that both will fail\&. Also, the limit is never enforced for superusers\&.
+.PP
+Caution must be exercised when specifying an unencrypted password with this command\&. The password will be transmitted to the server in cleartext, and it might also be logged in the client\*(Aqs command history or the server log\&. The command
+\fBcreateuser\fR(1), however, transmits the password encrypted\&. Also,
+\fBpsql\fR(1)
+contains a command
+\fB\epassword\fR
+that can be used to safely change the password later\&.
+.SH "EXAMPLES"
+.PP
+Create a role that can log in, but don\*(Aqt give it a password:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+CREATE ROLE jonathan LOGIN;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Create a role with a password:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+CREATE USER davide WITH PASSWORD \*(Aqjw8s0F4\*(Aq;
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+(\fBCREATE USER\fR
+is the same as
+\fBCREATE ROLE\fR
+except that it implies
+LOGIN\&.)
+.PP
+Create a role with a password that is valid until the end of 2004\&. After one second has ticked in 2005, the password is no longer valid\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+CREATE ROLE miriam WITH LOGIN PASSWORD \*(Aqjw8s0F4\*(Aq VALID UNTIL \*(Aq2005\-01\-01\*(Aq;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Create a role that can create databases and manage roles:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+CREATE ROLE admin WITH CREATEDB CREATEROLE;
+.fi
+.if n \{\
+.RE
+.\}
+.SH "COMPATIBILITY"
+.PP
+The
+\fBCREATE ROLE\fR
+statement is in the SQL standard, but the standard only requires the syntax
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+CREATE ROLE \fIname\fR [ WITH ADMIN \fIrole_name\fR ]
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Multiple initial administrators, and all the other options of
+\fBCREATE ROLE\fR, are
+PostgreSQL
+extensions\&.
+.PP
+The SQL standard defines the concepts of users and roles, but it regards them as distinct concepts and leaves all commands defining users to be specified by each database implementation\&. In
+PostgreSQL
+we have chosen to unify users and roles into a single kind of entity\&. Roles therefore have many more optional attributes than they do in the standard\&.
+.PP
+The behavior specified by the SQL standard is most closely approximated by giving users the
+NOINHERIT
+attribute, while roles are given the
+INHERIT
+attribute\&.
+.SH "SEE ALSO"
+SET ROLE (\fBSET_ROLE\fR(7)), ALTER ROLE (\fBALTER_ROLE\fR(7)), DROP ROLE (\fBDROP_ROLE\fR(7)), \fBGRANT\fR(7), \fBREVOKE\fR(7), \fBcreateuser\fR(1)