1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Role Membership</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 9.1.8 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Database Roles"
HREF="user-manag.html"><LINK
REL="PREVIOUS"
TITLE="Role Attributes"
HREF="role-attributes.html"><LINK
REL="NEXT"
TITLE="Function and Trigger Security"
HREF="perm-functions.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2013-02-04T21:38:53"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="5"
ALIGN="center"
VALIGN="bottom"
><A
HREF="index.html"
>PostgreSQL 9.1.8 Documentation</A
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
TITLE="Role Attributes"
HREF="role-attributes.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="user-manag.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 20. Database Roles</TD
><TD
WIDTH="20%"
ALIGN="right"
VALIGN="top"
><A
TITLE="Function and Trigger Security"
HREF="perm-functions.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="ROLE-MEMBERSHIP"
>20.3. Role Membership</A
></H1
><P
> It is frequently convenient to group users together to ease
management of privileges: that way, privileges can be granted to, or
revoked from, a group as a whole. In <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
>
this is done by creating a role that represents the group, and then
granting <I
CLASS="FIRSTTERM"
>membership</I
> in the group role to individual user
roles.
</P
><P
> To set up a group role, first create the role:
</P><PRE
CLASS="SYNOPSIS"
>CREATE ROLE <TT
CLASS="REPLACEABLE"
><I
>name</I
></TT
>;</PRE
><P>
Typically a role being used as a group would not have the <TT
CLASS="LITERAL"
>LOGIN</TT
>
attribute, though you can set it if you wish.
</P
><P
> Once the group role exists, you can add and remove members using the
<A
HREF="sql-grant.html"
>GRANT</A
> and
<A
HREF="sql-revoke.html"
>REVOKE</A
> commands:
</P><PRE
CLASS="SYNOPSIS"
>GRANT <TT
CLASS="REPLACEABLE"
><I
>group_role</I
></TT
> TO <TT
CLASS="REPLACEABLE"
><I
>role1</I
></TT
>, ... ;
REVOKE <TT
CLASS="REPLACEABLE"
><I
>group_role</I
></TT
> FROM <TT
CLASS="REPLACEABLE"
><I
>role1</I
></TT
>, ... ;</PRE
><P>
You can grant membership to other group roles, too (since there isn't
really any distinction between group roles and non-group roles). The
database will not let you set up circular membership loops. Also,
it is not permitted to grant membership in a role to
<TT
CLASS="LITERAL"
>PUBLIC</TT
>.
</P
><P
> The members of a group role can use the privileges of the role in two
ways. First, every member of a group can explicitly do
<A
HREF="sql-set-role.html"
>SET ROLE</A
> to
temporarily <SPAN
CLASS="QUOTE"
>"become"</SPAN
> the group role. In this state, the
database session has access to the privileges of the group role rather
than the original login role, and any database objects created are
considered owned by the group role not the login role. Second, member
roles that have the <TT
CLASS="LITERAL"
>INHERIT</TT
> attribute automatically have use
of the privileges of roles of which they are members, including any
privileges inherited by those roles.
As an example, suppose we have done:
</P><PRE
CLASS="PROGRAMLISTING"
>CREATE ROLE joe LOGIN INHERIT;
CREATE ROLE admin NOINHERIT;
CREATE ROLE wheel NOINHERIT;
GRANT admin TO joe;
GRANT wheel TO admin;</PRE
><P>
Immediately after connecting as role <TT
CLASS="LITERAL"
>joe</TT
>, a database
session will have use of privileges granted directly to <TT
CLASS="LITERAL"
>joe</TT
>
plus any privileges granted to <TT
CLASS="LITERAL"
>admin</TT
>, because <TT
CLASS="LITERAL"
>joe</TT
>
<SPAN
CLASS="QUOTE"
>"inherits"</SPAN
> <TT
CLASS="LITERAL"
>admin</TT
>'s privileges. However, privileges
granted to <TT
CLASS="LITERAL"
>wheel</TT
> are not available, because even though
<TT
CLASS="LITERAL"
>joe</TT
> is indirectly a member of <TT
CLASS="LITERAL"
>wheel</TT
>, the
membership is via <TT
CLASS="LITERAL"
>admin</TT
> which has the <TT
CLASS="LITERAL"
>NOINHERIT</TT
>
attribute. After:
</P><PRE
CLASS="PROGRAMLISTING"
>SET ROLE admin;</PRE
><P>
the session would have use of only those privileges granted to
<TT
CLASS="LITERAL"
>admin</TT
>, and not those granted to <TT
CLASS="LITERAL"
>joe</TT
>. After:
</P><PRE
CLASS="PROGRAMLISTING"
>SET ROLE wheel;</PRE
><P>
the session would have use of only those privileges granted to
<TT
CLASS="LITERAL"
>wheel</TT
>, and not those granted to either <TT
CLASS="LITERAL"
>joe</TT
>
or <TT
CLASS="LITERAL"
>admin</TT
>. The original privilege state can be restored
with any of:
</P><PRE
CLASS="PROGRAMLISTING"
>SET ROLE joe;
SET ROLE NONE;
RESET ROLE;</PRE
><P>
</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
> The <TT
CLASS="COMMAND"
>SET ROLE</TT
> command always allows selecting any role
that the original login role is directly or indirectly a member of.
Thus, in the above example, it is not necessary to become
<TT
CLASS="LITERAL"
>admin</TT
> before becoming <TT
CLASS="LITERAL"
>wheel</TT
>.
</P
></BLOCKQUOTE
></DIV
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
> In the SQL standard, there is a clear distinction between users and roles,
and users do not automatically inherit privileges while roles do. This
behavior can be obtained in <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> by giving
roles being used as SQL roles the <TT
CLASS="LITERAL"
>INHERIT</TT
> attribute, while
giving roles being used as SQL users the <TT
CLASS="LITERAL"
>NOINHERIT</TT
> attribute.
However, <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> defaults to giving all roles
the <TT
CLASS="LITERAL"
>INHERIT</TT
> attribute, for backward compatibility with pre-8.1
releases in which users always had use of permissions granted to groups
they were members of.
</P
></BLOCKQUOTE
></DIV
><P
> The role attributes <TT
CLASS="LITERAL"
>LOGIN</TT
>, <TT
CLASS="LITERAL"
>SUPERUSER</TT
>,
<TT
CLASS="LITERAL"
>CREATEDB</TT
>, and <TT
CLASS="LITERAL"
>CREATEROLE</TT
> can be thought of as
special privileges, but they are never inherited as ordinary privileges
on database objects are. You must actually <TT
CLASS="COMMAND"
>SET ROLE</TT
> to a
specific role having one of these attributes in order to make use of
the attribute. Continuing the above example, we might choose to
grant <TT
CLASS="LITERAL"
>CREATEDB</TT
> and <TT
CLASS="LITERAL"
>CREATEROLE</TT
> to the
<TT
CLASS="LITERAL"
>admin</TT
> role. Then a session connecting as role <TT
CLASS="LITERAL"
>joe</TT
>
would not have these privileges immediately, only after doing
<TT
CLASS="COMMAND"
>SET ROLE admin</TT
>.
</P
><P
> </P
><P
> To destroy a group role, use <A
HREF="sql-droprole.html"
>DROP ROLE</A
>:
</P><PRE
CLASS="SYNOPSIS"
>DROP ROLE <TT
CLASS="REPLACEABLE"
><I
>name</I
></TT
>;</PRE
><P>
Any memberships in the group role are automatically revoked (but the
member roles are not otherwise affected). Note however that any objects
owned by the group role must first be dropped or reassigned to other
owners; and any permissions granted to the group role must be revoked.
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="role-attributes.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="perm-functions.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Role Attributes</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="user-manag.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Function and Trigger Security</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
|