Home Explore Blog CI



postgresql

6th chunk of `doc/src/sgml/ref/create_role.sgml`
09ca438593ab12509e408c7dfa01b12e16e56c8dc2a8a78e0000000100000a8d
 expiration time is not enforced when logging in using
   a non-password-based authentication method.
  </para>

  <para>
   The role attributes defined here are non-inheritable, i.e., being a
   member of a role with, e.g., <literal>CREATEDB</literal> will not
   allow the member to create new databases even if the membership grant
   has the <literal>INHERIT</literal> option.  Of course, if the membership
   grant has the <literal>SET</literal> option the member role would be able to
   <link linkend="sql-set-role"><command>SET ROLE</command></link> to the
   createdb role and then create a new database.
  </para>

  <para>
   The membership grants created by the
   <literal>IN ROLE</literal>, <literal>ROLE</literal>, and <literal>ADMIN</literal>
   clauses have the role executing this command as the grantor.
  </para>

  <para>
   The <literal>INHERIT</literal> attribute is the default for reasons of backwards
   compatibility: in prior releases of <productname>PostgreSQL</productname>,
   users always had access to all privileges of groups they were members of.
   However, <literal>NOINHERIT</literal> provides a closer match to the semantics
   specified in the SQL standard.
  </para>

  <para>
   <productname>PostgreSQL</productname> includes a program <xref
   linkend="app-createuser"/> that has
   the same functionality as <command>CREATE ROLE</command> (in fact,
   it calls this command) but can be run from the command shell.
  </para>

  <para>
   The <literal>CONNECTION LIMIT</literal> option is only enforced approximately;
   if two new sessions start at about the same time when just one
   connection <quote>slot</quote> remains for the role, it is possible that
   both will fail.  Also, the limit is never enforced for superusers.
  </para>

  <para>
   Caution must be exercised when specifying an unencrypted password
   with this command.  The password will be transmitted to the server
   in cleartext, and it might also be logged in the client's command
   history or the server log.  The command <xref
   linkend="app-createuser"/>, however, transmits
   the password encrypted.  Also, <xref linkend="app-psql"/>
   contains a command
   <command>\password</command> that can be used to safely change the
   password later.
  </para>
 </refsect1>

 <refsect1>
  <title>Examples</title>

  <para>
   Create a role that can log in, but don't give it a password:
<programlisting>
CREATE ROLE jonathan LOGIN;
</programlisting>
  </para>

  <para>
   Create a role with a password:
<programlisting>
CREATE USER davide WITH PASSWORD 'jw8s0F4';
</programlisting>
   (<command>CREATE USER</command> is the same as <command>CREATE ROLE</command> except
   that it

Title: CREATE ROLE Notes and Examples
Summary
This section continues with notes on the CREATE ROLE command, including details on password expiration, role attribute inheritance, how IN ROLE, ROLE, and ADMIN clauses work, the default INHERIT attribute, and the existence of the createuser program. It also covers connection limits and cautions about specifying unencrypted passwords. Finally, it provides examples of creating roles with and without passwords.