Difference between revisions of "PostgreSQL predefined roles"
Jump to navigation
Jump to search
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
* https://www.postgresql.org/docs/current/predefined-roles.html | * https://www.postgresql.org/docs/current/predefined-roles.html | ||
− | < | + | |
− | pg_read_all_data Read all data (tables, views, sequences), as if having SELECT rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to. | + | * <code>[[pg_read_all_data]]</code> Read all data (tables, views, sequences), as if having SELECT rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to. |
− | pg_write_all_data Write all data (tables, views, sequences), as if having INSERT, UPDATE, and DELETE rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to. | + | * <code>pg_write_all_data</code> Write all data (tables, views, sequences), as if having INSERT, UPDATE, and DELETE rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to. |
− | pg_read_all_settings Read all configuration variables, even those normally visible only to superusers. | + | * <code>[[pg_read_all_settings]]</code> Read all configuration variables, even those normally visible only to [[superusers]]. |
− | pg_read_all_stats Read all pg_stat_* views and use various statistics related extensions, even those normally visible only to superusers. | + | * <code>[[pg_read_all_stats]]</code> Read all <code>[[pg_stat_*]]</code> views and use various statistics related extensions, even those normally visible only to superusers. |
− | pg_stat_scan_tables Execute monitoring functions that may take ACCESS SHARE locks on tables, potentially for a long time. | + | * <code>[[pg_stat_scan_tables]]</code> Execute monitoring functions that may take [[ACCESS SHARE locks]] on tables, potentially for a long time. |
− | pg_monitor Read/execute various monitoring views and functions. This role is a member of pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables. | + | * <code>[[pg_monitor]]</code> Read/execute various monitoring views and functions. This role is a member of <code>[[pg_read_all_settings]]</code>, <code>[[pg_read_all_stats]]</code> and <code>[[pg_stat_scan_tables]]</code>. |
− | pg_database_owner None. Membership consists, implicitly, of the current database owner. | + | * <code>pg_database_owner</code> None. Membership consists, implicitly, of the current database owner. |
− | pg_signal_backend Signal another backend to cancel a query or terminate its session. | + | * <code>pg_signal_backend</code> Signal another backend to cancel a query or terminate its session. |
− | pg_read_server_files Allow reading files from any location the database can access on the server with COPY and other file-access functions. | + | * <code>[[pg_read_server_files]]</code> Allow reading files from any location the database can access on the server with COPY and other file-access functions. |
− | pg_write_server_files Allow writing to files in any location the database can access on the server with COPY and other file-access functions. | + | * pg_write_server_files Allow writing to files in any location the database can access on the server with COPY and other file-access functions. |
− | pg_execute_server_program Allow executing programs on the database server as the user the database runs as with COPY and other functions which allow executing a server-side program. | + | * pg_execute_server_program Allow executing programs on the database server as the user the database runs as with COPY and other functions which allow executing a server-side program. |
− | pg_checkpoint Allow executing the CHECKPOINT command. | + | * pg_checkpoint Allow executing the CHECKPOINT command. |
− | pg_use_reserved_connections Allow use of connection slots reserved via reserved_connections. | + | * pg_use_reserved_connections Allow use of connection slots reserved via reserved_connections. |
− | pg_create_subscription Allow users with CREATE permission on the database to issue CREATE SUBSCRIPTION. | + | * <code>[[pg_create_subscription]]</code> Allow users with CREATE permission on the database to issue CREATE [[SUBSCRIPTION]]. |
− | |||
[[GRANT]] [[pg_read_all_data]] TO xxx; | [[GRANT]] [[pg_read_all_data]] TO xxx; | ||
+ | [[create user]] | ||
* [[Read only]] | * [[Read only]] |
Latest revision as of 16:12, 20 September 2024
pg_read_all_data
Read all data (tables, views, sequences), as if having SELECT rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to.pg_write_all_data
Write all data (tables, views, sequences), as if having INSERT, UPDATE, and DELETE rights on those objects, and USAGE rights on all schemas, even without having it explicitly. This role does not have the role attribute BYPASSRLS set. If RLS is being used, an administrator may wish to set BYPASSRLS on roles which this role is GRANTed to.pg_read_all_settings
Read all configuration variables, even those normally visible only to superusers.pg_read_all_stats
Read allpg_stat_*
views and use various statistics related extensions, even those normally visible only to superusers.pg_stat_scan_tables
Execute monitoring functions that may take ACCESS SHARE locks on tables, potentially for a long time.pg_monitor
Read/execute various monitoring views and functions. This role is a member ofpg_read_all_settings
,pg_read_all_stats
andpg_stat_scan_tables
.pg_database_owner
None. Membership consists, implicitly, of the current database owner.pg_signal_backend
Signal another backend to cancel a query or terminate its session.pg_read_server_files
Allow reading files from any location the database can access on the server with COPY and other file-access functions.- pg_write_server_files Allow writing to files in any location the database can access on the server with COPY and other file-access functions.
- pg_execute_server_program Allow executing programs on the database server as the user the database runs as with COPY and other functions which allow executing a server-side program.
- pg_checkpoint Allow executing the CHECKPOINT command.
- pg_use_reserved_connections Allow use of connection slots reserved via reserved_connections.
pg_create_subscription
Allow users with CREATE permission on the database to issue CREATE SUBSCRIPTION.
GRANT pg_read_all_data TO xxx; create user
See also[edit]
- PostgreSQL users, predefined roles:
pg_read_all_data, pg_monitor
,create role
,.pgpass
, PostgreSQL read only user GRANT ALL
GRANT
,\ddp
,GRANT USAGE
,GRANT ALL PRIVILEGES
,GRANT SELECT
, View GRANTs on Redshift,has_table_privilege
,has_schema_privilege
,HAS_DATABASE_PRIVILEGE
,SCHEMA
, Privileges,GRANT EXECUTE
Advertising: