Granting Administrative Access to a Role

A superuser can assign a user or role administrative access to a role by supplying the optional WITH ADMIN OPTION argument to the GRANT statement. Administrative access allows the user to grant and revoke access to the role for other users (including granting them administrative access). Giving users the ability to grant roles lets a superuser delegate role administration to other users.

Example

The following example demonstrates granting the user bob administrative access to the commenter role, then connecting as bob and granting a role to another user.

  1. Connect to the database as a superuser (or a user with administrative access):

    => \c - dbadmin
  2. Grand administrative options on the commenter role to Bob

    => GRANT commenter TO Bob WITH ADMIN OPTION;
  3. Connect to the database as user Bob

    => \c - Bob
  4. As user Bob, grant the commenter role to Alice:

    => GRANT commenter TO Alice;

Users with administrative access to a role can also grant other users administrative access:

=> GRANT commenter TO alice WITH ADMIN OPTION;
GRANT ROLE

As with all user privilege models, database superusers should be cautious when granting any user a role with administrative privileges. For example, if the database superuser grants two users a role with administrative privileges, both users can revoke the role of the other user. This example shows granting the appadmin role (with administrative privileges) to users bob and alice. After each user has been granted the appadmin role, either use can connect as the other will full privileges.

=> GRANT appadmin TO bob, alice WITH ADMIN OPTION;
GRANT ROLE
=> \connect - bob
You are now connected as user "bob".
=> REVOKE appadmin FROM alice;
REVOKE ROLE