summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/database-roles.html
blob: d674817e656389a19a567ce3957fcb2e1e7d70d9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.1. Database Roles</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="user-manag.html" title="Chapter 21. Database Roles" /><link rel="next" href="role-attributes.html" title="21.2. Role Attributes" /></head><body id="docContent" class="container-fluid col-10"><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.1. Database Roles</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="user-manag.html" title="Chapter 21. Database Roles">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><th width="60%" align="center">Chapter 21. Database Roles</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 13.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="role-attributes.html" title="21.2. Role Attributes">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="DATABASE-ROLES"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.1. Database Roles</h2></div></div></div><a id="id-1.6.8.5.2" class="indexterm"></a><a id="id-1.6.8.5.3" class="indexterm"></a><a id="id-1.6.8.5.4" class="indexterm"></a><a id="id-1.6.8.5.5" class="indexterm"></a><p>
   Database roles are conceptually completely separate from
   operating system users. In practice it might be convenient to
   maintain a correspondence, but this is not required. Database roles
   are global across a database cluster installation (and not
   per individual database). To create a role use the <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> SQL command:
</p><pre class="synopsis">
CREATE ROLE <em class="replaceable"><code>name</code></em>;
</pre><p>
   <em class="replaceable"><code>name</code></em> follows the rules for SQL
   identifiers: either unadorned without special characters, or
   double-quoted.  (In practice, you will usually want to add additional
   options, such as <code class="literal">LOGIN</code>, to the command.  More details appear
   below.)  To remove an existing role, use the analogous
   <a class="xref" href="sql-droprole.html" title="DROP ROLE"><span class="refentrytitle">DROP ROLE</span></a> command:
</p><pre class="synopsis">
DROP ROLE <em class="replaceable"><code>name</code></em>;
</pre><p>
  </p><a id="id-1.6.8.5.7" class="indexterm"></a><a id="id-1.6.8.5.8" class="indexterm"></a><p>
   For convenience, the programs <a class="xref" href="app-createuser.html" title="createuser"><span class="refentrytitle"><span class="application">createuser</span></span></a>
   and <a class="xref" href="app-dropuser.html" title="dropuser"><span class="refentrytitle"><span class="application">dropuser</span></span></a> are provided as wrappers
   around these SQL commands that can be called from the shell command
   line:
</p><pre class="synopsis">
createuser <em class="replaceable"><code>name</code></em>
dropuser <em class="replaceable"><code>name</code></em>
</pre><p>
  </p><p>
   To determine the set of existing roles, examine the <code class="structname">pg_roles</code>
   system catalog, for example
</p><pre class="synopsis">
SELECT rolname FROM pg_roles;
</pre><p>
   The <a class="xref" href="app-psql.html" title="psql"><span class="refentrytitle"><span class="application">psql</span></span></a> program's <code class="literal">\du</code> meta-command
   is also useful for listing the existing roles.
  </p><p>
   In order to bootstrap the database system, a freshly initialized
   system always contains one predefined role. This role is always
   a <span class="quote"><span class="quote">superuser</span></span>, and by default (unless altered when running
   <code class="command">initdb</code>) it will have the same name as the
   operating system user that initialized the database
   cluster. Customarily, this role will be named
   <code class="literal">postgres</code>. In order to create more roles you
   first have to connect as this initial role.
  </p><p>
   Every connection to the database server is made using the name of some
   particular role, and this role determines the initial access privileges for
   commands issued in that connection.
   The role name to use for a particular database
   connection is indicated by the client that is initiating the
   connection request in an application-specific fashion. For example,
   the <code class="command">psql</code> program uses the
   <code class="option">-U</code> command line option to indicate the role to
   connect as.  Many applications assume the name of the current
   operating system user by default (including
   <code class="command">createuser</code> and <code class="command">psql</code>).  Therefore it
   is often convenient to maintain a naming correspondence between
   roles and operating system users.
  </p><p>
   The set of database roles a given client connection can connect as
   is determined by the client authentication setup, as explained in
   <a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>. (Thus, a client is not
   limited to connect as the role matching
   its operating system user, just as a person's login name
   need not match his or her real name.)  Since the role
   identity determines the set of privileges available to a connected
   client, it is important to carefully configure privileges when setting up
   a multiuser environment.
  </p></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="user-manag.html" title="Chapter 21. Database Roles">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="role-attributes.html" title="21.2. Role Attributes">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Database Roles </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 13.4 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.2. Role Attributes</td></tr></table></div></body></html>