1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5
>Role Attributes</TITLE
8
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
10
HREF="mailto:pgsql-docs@postgresql.org"><LINK
12
TITLE="PostgreSQL 9.1beta1 Documentation"
13
HREF="index.html"><LINK
15
TITLE="Database Roles"
16
HREF="user-manag.html"><LINK
18
TITLE="Database Roles"
19
HREF="database-roles.html"><LINK
21
TITLE="Role Membership"
22
HREF="role-membership.html"><LINK
25
HREF="stylesheet.css"><META
26
HTTP-EQUIV="Content-Type"
27
CONTENT="text/html; charset=ISO-8859-1"><META
29
CONTENT="2011-04-27T21:20:33"></HEAD
35
SUMMARY="Header navigation table"
47
>PostgreSQL 9.1beta1 Documentation</A
56
TITLE="Database Roles"
57
HREF="database-roles.html"
66
TITLE="Database Roles"
67
HREF="user-manag.html"
74
>Chapter 20. Database Roles</TD
80
TITLE="Database Roles"
81
HREF="user-manag.html"
89
TITLE="Role Membership"
90
HREF="role-membership.html"
104
NAME="ROLE-ATTRIBUTES"
105
>20.2. Role Attributes</A
108
> A database role can have a number of attributes that define its
109
privileges and interact with the client authentication system.
120
> Only roles that have the <TT
123
> attribute can be used
124
as the initial role name for a database connection. A role with
128
> attribute can be considered the same
131
>"database user"</SPAN
132
>. To create a role with login privilege,
135
CLASS="PROGRAMLISTING"
152
> is equivalent to <TT
170
>superuser status</DT
173
> A database superuser bypasses all permission checks, except the right
174
to log in or the right to initiate replication. This is a
175
dangerous privilege and should not be used carelessly; it is best
176
to do most of your work as a role that is not a superuser.
177
To create a new database superuser, use <TT
187
this as a role that is already a superuser. Creating a superuser
188
will by default also grant permissions to initiate streaming
189
replication. For increased security this can be disallowed using
203
>database creation</DT
206
> A role must be explicitly given permission to create databases
207
(except for superusers, since those bypass all permission
208
checks). To create such a role, use <TT
224
> A role must be explicitly given permission to create more roles
225
(except for superusers, since those bypass all permission
226
checks). To create such a role, use <TT
239
> privilege can alter and drop
240
other roles, too, as well as grant or revoke membership in them.
241
However, to create, alter, drop, or change membership of a
242
superuser role, superuser status is required;
246
> is insufficient for that.
250
>initiating replication</DT
253
> A role must explicitly be given permission to initiate streaming
254
replication. A role used for streaming replication must always
258
> permission as well. To create such a role, use
275
> A password is only significant if the client authentication
276
method requires the user to supply a password when connecting
277
to the database. The <TT
284
> authentication methods
285
make use of passwords. Database passwords are separate from
286
operating system passwords. Specify a password upon role
308
A role's attributes can be modified after creation with
313
See the reference pages for the <A
314
HREF="sql-createrole.html"
317
HREF="sql-alterrole.html"
319
> commands for details.
328
> It is good practice to create a role that has the <TT
335
> privileges, but is not a superuser, and then
336
use this role for all routine management of databases and roles. This
337
approach avoids the dangers of operating as a superuser for tasks that
338
do not really require it.
343
> A role can also have role-specific defaults for many of the run-time
344
configuration settings described in <A
345
HREF="runtime-config.html"
347
>. For example, if for some reason you
348
want to disable index scans (hint: not a good idea) anytime you
349
connect, you can use:
351
CLASS="PROGRAMLISTING"
352
>ALTER ROLE myname SET enable_indexscan TO off;</PRE
354
This will save the setting (but not set it immediately). In
355
subsequent connections by this role it will appear as though
358
>SET enable_indexscan TO off</TT
360
just before the session started.
361
You can still alter this setting during the session; it will only
362
be the default. To remove a role-specific default setting, use
377
Note that role-specific defaults attached to roles without
381
> privilege are fairly useless, since they will never
390
SUMMARY="Footer navigation table"
401
HREF="database-roles.html"
419
HREF="role-membership.html"
435
HREF="user-manag.html"
b'\\ No newline at end of file'