Database Role Attributes

login privilege, use either: <programlisting> CREATE ROLE <replaceable>name</replaceable> LOGIN; CREATE USER <replaceable>name</replaceable>; </programlisting> (<command>CREATE USER</command> is equivalent to <command>CREATE ROLE</command> except that <command>CREATE USER</command> includes <literal>LOGIN</literal> by default, while <command>CREATE ROLE</command> does not.) </para> </listitem> </varlistentry> <varlistentry> <term>superuser status<indexterm><primary>superuser</primary></indexterm></term> <listitem> <para> A database superuser bypasses all permission checks, except the right to log in. This is a dangerous privilege and should not be used carelessly; it is best to do most of your work as a role that is not a superuser. To create a new database superuser, use <literal>CREATE ROLE <replaceable>name</replaceable> SUPERUSER</literal>. You must do this as a role that is already a superuser. </para> </listitem> </varlistentry> <varlistentry> <term>database creation<indexterm><primary>database</primary><secondary>privilege to create</secondary></indexterm></term> <listitem> <para> A role must be explicitly given permission to create databases (except for superusers, since those bypass all permission checks). To create such a role, use <literal>CREATE ROLE <replaceable>name</replaceable> CREATEDB</literal>. </para> </listitem> </varlistentry> <varlistentry> <term id="role-creation">role creation<indexterm><primary>role</primary><secondary>privilege to create</secondary></indexterm></term> <listitem> <para> A role must be explicitly given permission to create more roles (except for superusers, since those bypass all permission checks). To create such a role, use <literal>CREATE ROLE <replaceable>name</replaceable> CREATEROLE</literal>. A role with <literal>CREATEROLE</literal> privilege can alter and drop roles which have been granted to the <literal>CREATEROLE</literal> user with the <literal>ADMIN</literal> option. Such a grant occurs automatically when a <literal>CREATEROLE</literal> user that is not a superuser creates a new role, so that by default, a <literal>CREATEROLE</literal> user can alter and drop the roles which they have created. Altering a role includes most changes that can be made using <literal>ALTER ROLE</literal>, including, for example, changing passwords. It also includes modifications to a role that can be made using the <literal>COMMENT</literal> and <literal>SECURITY LABEL</literal> commands. </para> <para> However, <literal>CREATEROLE</literal> does not convey the ability to create <literal>SUPERUSER</literal> roles, nor does it convey any power over <literal>SUPERUSER</literal> roles that already exist. Furthermore, <literal>CREATEROLE</literal> does not convey the power to create <literal>REPLICATION</literal> users, nor the ability to grant or revoke the <literal>REPLICATION</literal> privilege, nor the ability to modify the role properties of such users. However, it does allow <literal>ALTER ROLE ... SET</literal> and <literal>ALTER ROLE ... RENAME</literal> to be used on <literal>REPLICATION</literal> roles, as well as the use of <literal>COMMENT ON ROLE</literal>, <literal>SECURITY LABEL ON ROLE</literal>, and <literal>DROP ROLE</literal>. Finally, <literal>CREATEROLE</literal> does not confer the ability to grant or revoke the <literal>BYPASSRLS</literal> privilege. </para> </listitem> </varlistentry> <varlistentry> <term>initiating replication<indexterm><primary>role</primary><secondary>privilege

This section describes the various attributes that can be assigned to a database role, including login privilege, superuser status, database creation, role creation, and initiating replication, and explains how to create roles with these attributes using SQL commands such as CREATE ROLE and ALTER ROLE.