The catalog pg_authid
contains information about
database authorization identifiers (roles). A role subsumes the concepts
of “users” and “groups”. A user is essentially just a
role with the rolcanlogin
flag set. Any role (with or
without rolcanlogin
) may have other roles as members; see
pg_auth_members
.
Since this catalog contains passwords, it must not be publicly readable.
pg_roles
is a publicly readable view on
pg_authid
that blanks out the password field.
Chapter 18, Database Roles and Privileges contains detailed information about user and privilege management.
Because user identities are cluster-wide,
pg_authid
is shared across all databases of a cluster: there is only one
copy of pg_authid
per cluster, not
one per database.
Table 43.8. pg_authid
Columns
Name | Type | Description | |
---|---|---|---|
rolname |
name |
Role name | |
rolsuper |
bool |
Role has superuser privileges | |
rolinherit |
bool |
Role automatically inherits privileges of roles it is a member of | |
rolcreaterole |
bool |
Role may create more roles | |
rolcreatedb |
bool |
Role may create databases | |
rolcatupdate |
bool |
Role may update system catalogs directly. (Even a superuser may not do this unless this column is true) | |
rolcanlogin |
bool |
Role may log in. That is, this role can be given as the initial session authorization identifier | |
rolconnlimit |
int4 |
For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit | |
rolpassword |
text |
Password (possibly encrypted); NULL if none | |
rolvaliduntil |
timestamptz |
Password expiry time (only used for password authentication); NULL if no expiration | |
rolconfig |
text[] |
Session defaults for run-time configuration variables |