Movatterモバイル変換

Only roles that have theLOGIN attribute can be used as the initial role name for a database connection. A role with theLOGIN attribute can be considered the same as a“database user”. To create a role with login privilege, use either:

CREATE ROLEname LOGIN;CREATE USERname;

(CREATE USER is equivalent toCREATE ROLE except thatCREATE USER includesLOGIN by default, whileCREATE ROLE does not.)

A database superuser bypasses all permission checks, except the right to log in. This is a dangerous privilege and should not be used carelessly; it is best to do most of your work as a role that is not a superuser. To create a new database superuser, useCREATE ROLEname SUPERUSER. You must do this as a role that is already a superuser.

A role must be explicitly given permission to create databases (except for superusers, since those bypass all permission checks). To create such a role, useCREATE ROLEname CREATEDB.

A role must be explicitly given permission to create more roles (except for superusers, since those bypass all permission checks). To create such a role, useCREATE ROLEname CREATEROLE. A role withCREATEROLE privilege can alter and drop other roles, too, as well as grant or revoke membership in them. Altering a role includes most changes that can be made usingALTER ROLE, including, for example, changing passwords. It also includes modifications to a role that can be made using theCOMMENT andSECURITY LABEL commands.

However,CREATEROLE does not convey the ability to createSUPERUSER roles, nor does it convey any power overSUPERUSER roles that already exist. Furthermore,CREATEROLE does not convey the power to createREPLICATION users, nor the ability to grant or revoke theREPLICATION privilege, nor the ability to modify the role properties of such users. However, it does allowALTER ROLE ... SET andALTER ROLE ... RENAME to be used onREPLICATION roles, as well as the use ofCOMMENT ON ROLE,SECURITY LABEL ON ROLE, andDROP ROLE. Finally,CREATEROLE does not confer the ability to grant or revoke theBYPASSRLS privilege.

Because theCREATEROLE privilege allows a user to grant or revoke membership even in roles to which it does not (yet) have any access, aCREATEROLE user can obtain access to the capabilities of every predefined role in the system, including highly privileged roles such aspg_execute_server_program andpg_write_server_files.

A role must explicitly be given permission to initiate streaming replication (except for superusers, since those bypass all permission checks). A role used for streaming replication must haveLOGIN permission as well. To create such a role, useCREATE ROLEname REPLICATION LOGIN.

A password is only significant if the client authentication method requires the user to supply a password when connecting to the database. Thepassword andmd5 authentication methods make use of passwords. Database passwords are separate from operating system passwords. Specify a password upon role creation withCREATE ROLEname PASSWORD 'string'.

A role is given permission to inherit the privileges of roles it is a member of, by default. However, to create a role without the permission, useCREATE ROLEname NOINHERIT.

A role must be explicitly given permission to bypass every row-level security (RLS) policy (except for superusers, since those bypass all permission checks). To create such a role, useCREATE ROLEname BYPASSRLS as a superuser.

Connection limit can specify how many concurrent connections a role can make. -1 (the default) means no limit. Specify connection limit upon role creation withCREATE ROLEname CONNECTION LIMIT 'integer'.