Database Roles

To make managing permissions easier, use roles. A role is a collection of privileges that a superuser can grant to (or revoke from) one or more users or other roles. Using roles avoids having to manually grant sets of privileges user by user. For example, several users might be assigned to the administrator role. You can grant or revoke privileges to or from the administrator role, and all users with access to that role are affected by the change.

Role Hierarchies

You can also use roles to build hierarchies of roles; for example, you can create an administrator role that has privileges granted non-administrator roles as well as to the privileges granted directly to the administrator role. See also Role Hierarchy.

Roles do no supersede manually-granted privileges, so privileges directly assigned to a user are not altered by roles. Roles just give additional privileges to the user.

Creating and Using a Role

Using a role follows this general flow:

1. A superuser creates a role using the CREATE ROLE statement.
2. A superuser or object owner grants privileges to the role using one of the GRANT statements.
3. A superuser or users with administrator access to the role grant users and other roles access to the role.
4. Users granted access to the role use the SET ROLE command to enable that role and gain the role's privileges.

You can do steps 2 and 3 in any order. However, granting access to a role means little until the role has privileges granted to it.

Roles on Management Console

When users sign in to the Management Console (MC), what they can view or do is governed by MC roles. For details, see About MC Users and About MC Privileges and Roles.