21.5. Predefined Roles#
PostgreSQL provides a set of predefined roles that provide access to certain, commonly needed, privileged capabilities and information. Administrators (including roles that have theCREATEROLE privilege) canGRANT these roles to users and/or other roles in their environment, providing those users with access to the specified capabilities and information. For example:
GRANT pg_signal_backend TO admin_user;
Warning
Care should be taken when granting these roles to ensure they are only used where needed and with the understanding that these roles grant access to privileged information.
The predefined roles are described below. Note that the specific permissions for each of the roles may change in the future as additional capabilities are added. Administrators should monitor the release notes for changes.
pg_checkpoint#pg_checkpointallows executing theCHECKPOINTcommand.pg_create_subscription#pg_create_subscriptionallows users withCREATEpermission on the database to issueCREATE SUBSCRIPTION.pg_database_owner#pg_database_owneralways has exactly one implicit member: the current database owner. It cannot be granted membership in any role, and no role can be granted membership inpg_database_owner. However, like any other role, it can own objects and receive grants of access privileges. Consequently, oncepg_database_ownerhas rights within a template database, each owner of a database instantiated from that template will possess those rights. Initially, this role owns thepublicschema, so each database owner governs local use of that schema.pg_maintain#pg_maintainallows executingVACUUM,ANALYZE,CLUSTER,REFRESH MATERIALIZED VIEW,REINDEX, andLOCK TABLEon all relations, as if havingMAINTAINrights on those objects.pg_monitorpg_read_all_settingspg_read_all_statspg_stat_scan_tables#These roles are intended to allow administrators to easily configure a role for the purpose of monitoring the database server. They grant a set of common privileges allowing the role to read various useful configuration settings, statistics, and other system information normally restricted to superusers.
pg_monitorallows reading/executing various monitoring views and functions. This role is a member ofpg_read_all_settings,pg_read_all_statsandpg_stat_scan_tables.pg_read_all_settingsallows reading all configuration variables, even those normally visible only to superusers.pg_read_all_statsallows reading all pg_stat_* views and use various statistics related extensions, even those normally visible only to superusers.pg_stat_scan_tablesallows executing monitoring functions that may takeACCESS SHARElocks on tables, potentially for a long time (e.g.,pgrowlocks(text)in thepgrowlocks extension).pg_read_all_datapg_write_all_data#pg_read_all_dataallows reading all data (tables, views, sequences), as if havingSELECTrights on those objects andUSAGErights on all schemas. This role does not bypass row-level security (RLS) policies. If RLS is being used, an administrator may wish to setBYPASSRLSon roles which this role is granted to.pg_write_all_dataallows writing all data (tables, views, sequences), as if havingINSERT,UPDATE, andDELETErights on those objects andUSAGErights on all schemas. This role does not bypass row-level security (RLS) policies. If RLS is being used, an administrator may wish to setBYPASSRLSon roles which this role is granted to.pg_read_server_filespg_write_server_filespg_execute_server_program#These roles are intended to allow administrators to have trusted, but non-superuser, roles which are able to access files and run programs on the database server as the user the database runs as. They bypass all database-level permission checks when accessing files directly and they could be used to gain superuser-level access. Therefore, great care should be taken when granting these roles to users.
pg_read_server_filesallows reading files from any location the database can access on the server usingCOPYand other file-access functions.pg_write_server_filesallows writing to files in any location the database can access on the server usingCOPYand other file-access functions.pg_execute_server_programallows executing programs on the database server as the user the database runs as usingCOPYand other functions which allow executing a server-side program.pg_signal_autovacuum_worker#pg_signal_autovacuum_workerallows signaling autovacuum workers to cancel the current table's vacuum or terminate its session. SeeSection 9.28.2.pg_signal_backend#pg_signal_backendallows signaling another backend to cancel a query or terminate its session. Note that this role does not permit signaling backends owned by a superuser. SeeSection 9.28.2.pg_use_reserved_connections#pg_use_reserved_connectionsallows use of connection slots reserved viareserved_connections.