pg_authid Catalog: Roles and Authorization Identifiers

where the dropped column's data type was later dropped, and so there is no <structname>pg_type</structname> row anymore. <structfield>attlen</structfield> and the other fields can be used to interpret the contents of a row of the table. </para> </sect1> <sect1 id="catalog-pg-authid"> <title><structname>pg_authid</structname></title> <indexterm zone="catalog-pg-authid"> <primary>pg_authid</primary> </indexterm> <para> The catalog <structname>pg_authid</structname> contains information about database authorization identifiers (roles). A role subsumes the concepts of <quote>users</quote> and <quote>groups</quote>. A user is essentially just a role with the <structfield>rolcanlogin</structfield> flag set. Any role (with or without <structfield>rolcanlogin</structfield>) can have other roles as members; see <link linkend="catalog-pg-auth-members"><structname>pg_auth_members</structname></link>. </para> <para> Since this catalog contains passwords, it must not be publicly readable. <link linkend="view-pg-roles"><structname>pg_roles</structname></link> is a publicly readable view on <structname>pg_authid</structname> that blanks out the password field. </para> <para> <xref linkend="user-manag"/> contains detailed information about user and privilege management. </para> <para> Because user identities are cluster-wide, <structname>pg_authid</structname> is shared across all databases of a cluster: there is only one copy of <structname>pg_authid</structname> per cluster, not one per database. </para> <table> <title><structname>pg_authid</structname> Columns</title> <tgroup cols="1"> <thead> <row> <entry role="catalog_table_entry"><para role="column_definition"> Column Type </para> <para> Description </para></entry> </row> </thead> <tbody> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>oid</structfield> <type>oid</type> </para> <para> Row identifier </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolname</structfield> <type>name</type> </para> <para> Role name </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolsuper</structfield> <type>bool</type> </para> <para> Role has superuser privileges </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolinherit</structfield> <type>bool</type> </para> <para> Role automatically inherits privileges of roles it is a member of </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolcreaterole</structfield> <type>bool</type> </para> <para> Role can create more roles </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolcreatedb</structfield> <type>bool</type> </para> <para> Role can create databases </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolcanlogin</structfield> <type>bool</type> </para> <para> Role can log in. That is, this role can be given as the initial session authorization identifier. </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolreplication</structfield> <type>bool</type> </para> <para> Role is a replication role. A replication role can initiate replication connections and create and

This section introduces the pg_authid catalog, which stores information about database authorization identifiers (roles). A role encompasses the concepts of users and groups, with users being roles that can log in. The catalog contains sensitive password information and should not be publicly readable. pg_roles is a publicly readable view that masks the password field. pg_authid is cluster-wide and shared across all databases.