CREATE ROLE Parameters (Part 2)

role. </para> </listitem> </varlistentry> <varlistentry> <term><literal>LOGIN</literal></term> <term><literal>NOLOGIN</literal></term> <listitem> <para> These clauses determine whether a role is allowed to log in; that is, whether the role can be given as the initial session authorization name during client connection. A role having the <literal>LOGIN</literal> attribute can be thought of as a user. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. If not specified, <literal>NOLOGIN</literal> is the default, except when <command>CREATE ROLE</command> is invoked through its alternative spelling <link linkend="sql-createuser"><command>CREATE USER</command></link>. </para> </listitem> </varlistentry> <varlistentry> <term><literal>REPLICATION</literal></term> <term><literal>NOREPLICATION</literal></term> <listitem> <para> These clauses determine whether a role is a replication role. A role must have this attribute (or be a superuser) in order to be able to connect to the server in replication mode (physical or logical replication) and in order to be able to create or drop replication slots. A role having the <literal>REPLICATION</literal> attribute is a very highly privileged role, and should only be used on roles actually used for replication. If not specified, <literal>NOREPLICATION</literal> is the default. Only superuser roles or roles with <literal>REPLICATION</literal> can specify <literal>REPLICATION</literal>. </para> </listitem> </varlistentry> <varlistentry> <term><literal>BYPASSRLS</literal></term> <term><literal>NOBYPASSRLS</literal></term> <listitem> <para> These clauses determine whether a role bypasses every row-level security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default. Only superuser roles or roles with <literal>BYPASSRLS</literal> can specify <literal>BYPASSRLS</literal>. </para> <para> Note that pg_dump will set <literal>row_security</literal> to <literal>OFF</literal> by default, to ensure all contents of a table are dumped out. If the user running pg_dump does not have appropriate permissions, an error will be returned. However, superusers and the owner of the table being dumped always bypass RLS. </para> </listitem> </varlistentry> <varlistentry> <term><literal>CONNECTION LIMIT</literal> <replaceable class="parameter">connlimit</replaceable></term> <listitem> <para> If role can log in, this specifies how many concurrent connections the role can make. -1 (the default) means no limit. Note that only normal connections are counted towards this limit. Neither prepared transactions nor background worker connections are counted towards this limit. </para> </listitem> </varlistentry> <varlistentry> <term>[ <literal>ENCRYPTED</literal> ] <literal>PASSWORD</literal> '<replaceable class="parameter">password</replaceable>'</term> <term><literal>PASSWORD NULL</literal></term> <listitem> <para> Sets the role's password. (A password is only of use for roles having the <literal>LOGIN</literal> attribute, but you can nonetheless define one for roles without it.) If you do not plan to use password authentication you can omit this option. If no password is specified, the password will be set to null and password authentication will always fail for that user. A null password can optionally be written explicitly as <literal>PASSWORD NULL</literal>.

This section continues detailing parameters for the CREATE ROLE command in PostgreSQL. It explains REPLICATION/NOREPLICATION (for replication roles), BYPASSRLS/NOBYPASSRLS (to bypass row-level security policies), CONNECTION LIMIT (to limit concurrent connections), and PASSWORD (to set the role's password).