expiration time is not enforced when logging in using
a non-password-based authentication method.
</para>
<para>
The role attributes defined here are non-inheritable, i.e., being a
member of a role with, e.g., <literal>CREATEDB</literal> will not
allow the member to create new databases even if the membership grant
has the <literal>INHERIT</literal> option. Of course, if the membership
grant has the <literal>SET</literal> option the member role would be able to
<link linkend="sql-set-role"><command>SET ROLE</command></link> to the
createdb role and then create a new database.
</para>
<para>
The membership grants created by the
<literal>IN ROLE</literal>, <literal>ROLE</literal>, and <literal>ADMIN</literal>
clauses have the role executing this command as the grantor.
</para>
<para>
The <literal>INHERIT</literal> attribute is the default for reasons of backwards
compatibility: in prior releases of <productname>PostgreSQL</productname>,
users always had access to all privileges of groups they were members of.
However, <literal>NOINHERIT</literal> provides a closer match to the semantics
specified in the SQL standard.
</para>
<para>
<productname>PostgreSQL</productname> includes a program <xref
linkend="app-createuser"/> that has
the same functionality as <command>CREATE ROLE</command> (in fact,
it calls this command) but can be run from the command shell.
</para>
<para>
The <literal>CONNECTION LIMIT</literal> option is only enforced approximately;
if two new sessions start at about the same time when just one
connection <quote>slot</quote> remains for the role, it is possible that
both will fail. Also, the limit is never enforced for superusers.
</para>
<para>
Caution must be exercised when specifying an unencrypted password
with this command. The password will be transmitted to the server
in cleartext, and it might also be logged in the client's command
history or the server log. The command <xref
linkend="app-createuser"/>, however, transmits
the password encrypted. Also, <xref linkend="app-psql"/>
contains a command
<command>\password</command> that can be used to safely change the
password later.
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>
Create a role that can log in, but don't give it a password:
<programlisting>
CREATE ROLE jonathan LOGIN;
</programlisting>
</para>
<para>
Create a role with a password:
<programlisting>
CREATE USER davide WITH PASSWORD 'jw8s0F4';
</programlisting>
(<command>CREATE USER</command> is the same as <command>CREATE ROLE</command> except
that it