Home Explore Blog CI



postgresql
5th chunk of `doc/src/sgml/ref/create_role.sgml`
f2ae48bd48709156256b9b967df678475a81773e7d3c53b90000000100000fba
 time.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>IN ROLE</literal> <replaceable class="parameter">role_name</replaceable></term>
      <listitem>
       <para>
        The <literal>IN ROLE</literal> clause causes the new role to
        be automatically added as a member of the specified existing
        roles. The new membership will have the <literal>SET</literal>
        option enabled and the <literal>ADMIN</literal> option disabled.
        The <literal>INHERIT</literal> option will be enabled unless the
        <literal>NOINHERIT</literal> option is specified.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>ROLE</literal> <replaceable class="parameter">role_name</replaceable></term>
      <listitem>
       <para>
        The <literal>ROLE</literal> clause causes one or more specified
        existing roles to be automatically added as members, with the
        <literal>SET</literal> option enabled. This in effect makes the
        new role a <quote>group</quote>.  Roles named in this clause
        with the role-level <literal>INHERIT</literal> attribute will have
        the <literal>INHERIT</literal> option enabled in the new membership.
        New memberships will have the <literal>ADMIN</literal> option disabled.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>ADMIN</literal> <replaceable class="parameter">role_name</replaceable></term>
      <listitem>
       <para>
        The <literal>ADMIN</literal> clause has the same effect as
        <literal>ROLE</literal>, but the named roles are added as members
        of the new role with <literal>ADMIN</literal> enabled, giving
        them the right to grant membership in the new role to others.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><literal>SYSID</literal> <replaceable class="parameter">uid</replaceable></term>
      <listitem>
       <para>
        The <literal>SYSID</literal> clause is ignored, but is accepted
        for backwards compatibility.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
 </refsect1>

 <refsect1>
  <title>Notes</title>

  <para>
   Use <link linkend="sql-alterrole"><command>ALTER ROLE</command></link> to
   change the attributes of a role, and <link linkend="sql-droprole"><command>DROP ROLE</command></link>
   to remove a role.  All the attributes
   specified by <command>CREATE ROLE</command> can be modified by later
   <command>ALTER ROLE</command> commands.
  </para>

  <para>
   The preferred way to add and remove members of roles that are being
   used as groups is to use
   <link linkend="sql-grant"><command>GRANT</command></link> and
   <link linkend="sql-revoke"><command>REVOKE</command></link>.
  </para>

  <para>
   The <literal>VALID UNTIL</literal> clause defines an expiration time for a
   password only, not for the role per se.  In
   particular, the expiration time is not enforced when logging in using
   a non-password-based authentication method.
  </para>

  <para>
   The role attributes defined here are non-inheritable, i.e., being a
   member of a role with, e.g., <literal>CREATEDB</literal> will not
   allow the member to create new databases even if the membership grant
   has the <literal>INHERIT</literal> option.  Of course, if the membership
   grant has the <literal>SET</literal> option the member role would be able to
   <link linkend="sql-set-role"><command>SET ROLE</command></link> to the
   createdb role and then create a new database.
  </para>

  <para>
   The membership grants created by the
   <literal>IN ROLE</literal>, <literal>ROLE</literal>, and <literal>ADMIN</literal>
   clauses have the role executing this command as the grantor.
  </para>

  <para>
   The <literal>INHERIT</literal> attribute is the default for reasons of backwards
   compatibility: in prior releases of <productname>PostgreSQL</productname>,
Title: CREATE ROLE Parameters (Part 4): Role Membership and Notes
Summary
This section describes the IN ROLE, ROLE, ADMIN, and SYSID parameters for the CREATE ROLE command, focusing on adding roles to groups and setting administrative privileges. It also includes important notes on using ALTER ROLE and DROP ROLE, the behavior of VALID UNTIL, and the non-inheritable nature of role attributes.