Database postragesq role membership

21.3. Role membership

It's often convenient to group users together to manage permissions ： like that , Permissions can be granted to or reclaimed from an entire group . stay PostgreSQL By creating a role that represents a group , And then the membership in that group role is granted to a separate user role .

To create a group role , First create the character ：

CREATE ROLE name;

Roles that are usually used as a group do not need to have LOGIN attribute , But if you want to, you can also set it up . Once the group role exists , You can use GRANT and REVOKE Command to add and remove members ：

       

        GRANT group_role TO role1, ... ;
        
REVOKE group_role FROM role1, ... ;
       
       

        
1.
        
2.
       

You can also grant membership to other group roles （ Because there's no difference between a group role and a non group role ）. The database will not let you set up ring Membership . in addition , Membership in a role is not allowed to be granted to PUBLIC.

Members of a group role can use role permissions in two ways . First of all , Each member of can be explicitly a group SET ROLE Coming “ Become ” Group roles . In this state , The database session can access the permissions of the group role instead of the original login role , And any database object created is considered to belong to the group role rather than the login role . second , Yes INHERIT Attribute's member roles automatically have the permissions of the role to which they belong , Include permissions inherited from any group role . As an example , Suppose we already have ：

       

        CREATE ROLE joe LOGIN INHERIT;
        
CREATE ROLE admin NOINHERIT;
        
CREATE ROLE wheel NOINHERIT;
        
GRANT admin TO joe;
        
GRANT wheel TO admin;
       
       

        
1.
        
2.
        
3.
        
4.
        
5.
       

As a character joe After connection , A database session will have immediate ownership granted directly to joe Authority , Plus any grant to admin Authority , because joe“ Inherited ” admin Authority . However , Granted to wheel Permission for is not available , Because even if joe yes wheel An indirect member of , But the membership is through the belt NOINHERIT Attribute admin Got . stay ：

SET ROLE admin;

after , The session will only have the grant to admin Authority , But not to joe Authority . In execution ：

SET ROLE wheel;

after , The session will only have the grant to wheel Authority , But not to joe or admin Authority . The initial permission state can be restored using one of the following commands ：

       

        SET ROLE joe;
        
SET ROLE NONE;
        
RESET ROLE;
       
       

        
1.
        
2.
        
3.
       

SET ROLE The command always allows you to select the direct or indirect group role of the original login role . therefore , In the example above , Is becoming wheel You don't have to be admin.

stay SQL In the standard , The difference between users and roles is clear , And users don't automatically inherit permissions, but roles do . This kind of behavior PostgreSQL Can also be achieved in ： To be used for SQL The role of the character gives INHERIT attribute , To be used as SQL The role of the user is given NOINHERIT attribute .
however , For backward compatibility 8.1 Previous releases （ Where users always have the rights of their group ）,PostgreSQL Default to all characters INHERIT attribute .

Character attributes LOGIN、SUPERUSER、CREATEDB and CREATEROLE It can be thought of as a special privilege , But they

It is never inherited like normal permissions on database objects . To use these properties , You have to be practical SET ROLE To a specific character with one of these attributes . Continue with the above example , We can choose to award CREATEDB and CREATEROLE to admin role . And then one with joe The session to which the role is connected will not immediately have these permissions , Only in execution SET ROLE admin Only after that will we have it .

To destroy a group character , Use DROP ROLE：

DROP ROLE name;

The membership of any role in the group is automatically revoked （ But the member role is not affected ）.