{"id":28634,"date":"2023-10-17T08:54:39","date_gmt":"2023-10-17T06:54:39","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=28634"},"modified":"2023-12-15T11:04:58","modified_gmt":"2023-12-15T10:04:58","slug":"postgresql-managing-multiple-users-with-roles","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/","title":{"rendered":"PostgreSQL: Managing multiple “users” with roles"},"content":{"rendered":"

Having multiple users but don’t want them to use the same account?
In such a case you can use a role to group your users together.
And even better you can set default privileges for that role before creating anything important in your database to have your access privileges setup right from the get go!
In PostgreSQL terms the only difference between a role and an user is that the user comes with login permission from the start.<\/p>\n\n\n

Setup<\/h2>\n\n\n\n

Lets start by creating a database, an admin_role and two admins.<\/p>\n\n\n

\npostgres=# create database role_privileges;\nCREATE DATABASE\npostgres=# create role admin_role with nologin;\nCREATE ROLE\npostgres=# create user admin_1;\nCREATE ROLE\npostgres=# create user admin_2;\nCREATE ROLE\n<\/pre><\/div>\n\n\n
Giving them the needed connection permissions and then adding them to the admin_role.<\/p>\n\n\n
\npostgres=# grant connect on database role_privileges to admin_role ;\nGRANT\npostgres=# grant connect, create on database role_privileges to admin_role ;\nGRANT\npostgres=# grant admin_role to admin_1;\nGRANT ROLE\npostgres=# grant admin_role to admin_2;\nGRANT ROLE\n<\/pre><\/div>\n\n\n
Lets have a quick look at the roles. As you can see the admins are part of the admin_role.<\/p>\n\n\n
\npostgres=# \\du\n                                     List of roles\n Role name  |                         Attributes                         |  Member of\n------------+------------------------------------------------------------+--------------\n admin_1    |                                                            | {admin_role}\n admin_2    |                                                            | {admin_role}\n admin_role | Cannot login                                               | {}\n postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS | {}\n<\/pre><\/div>\n\n\n
Now lets create a schema, schema_1, which can be accessed by the admin_role, as well as making it its owner.<\/p>\n\n\n
\npostgres=# \\c role_privileges\nYou are now connected to database "role_privileges" as user "postgres".\nrole_privileges=# create schema schema_1 authorization admin_role;\nCREATE SCHEMA\nrole_privileges=# alter schema schema_1 owner to admin_role ;\nALTER SCHEMA\n<\/pre><\/div>\n\n\n
To not have to grant the privileges for every new table that is created we grant select, update and insert for all tables to the admin_role. This will cause any future tables, created by the admin_role, to have these privileges.<\/p>\n\n\n
\nrole_privileges=&gt; alter default privileges in schema schema_1 grant select, update, insert on tables to admin_role ;\nALTER DEFAULT PRIVILEGES\nrole_privileges=&gt; \\ddp\n                 Default access privileges\n   Owner    |  Schema  | Type  |     Access privileges\n------------+----------+-------+---------------------------\n admin_role | schema_1 | table | admin_role=arw\/admin_role\n<\/pre><\/div>\n\n\n
Creating and reading tables<\/h2>\n\n\n\n
Alright, now lets create some tables as admin_1.<\/p>\n\n\n
\npsql -U admin_1 -d role_privileges;\nrole_privileges=&gt; create table schema_1.admin_1_random as select s, md5(random()::text) from generate_Series(1,2) s;\nSELECT 2\nrole_privileges=&gt; select * from schema_1.admin_1_random ;\n s |               md5\n---+----------------------------------\n 1 | 1c5b383c15bb1008e3ad4605656be9e5\n 2 | c76cd774416c3c515d107236a6371f1c\n(2 rows)\n<\/pre><\/div>\n\n\n
Nice, looking good so far. Lets see if we can read that as admin_2.<\/p>\n\n\n
\npsql -U admin_2 -d role_privileges;\nrole_privileges=&gt; select * from schema_1.admin_1_random ;\nERROR:  permission denied for table admin_1_random\n<\/pre><\/div>\n\n\n
Probably not what you were expecting. Lets have a closer look at the table permissions. Since we created the table as admin_1 it is owned by admin_1, not surprising and also how it should be. Let’s check what kind of privileges are active on the table.<\/p>\n\n\n
\nrole_privileges=&gt; \\dt schema_1.admin_1_random \n              List of relations\n  Schema  |      Name      | Type  |  Owner\n----------+----------------+-------+---------\n schema_1 | admin_1_random | table | admin_1\n(1 row)\n\nrole_privileges=&gt; \\ddp\n                 Default access privileges\n   Owner    |  Schema  | Type  |     Access privileges\n------------+----------+-------+---------------------------\n admin_role | schema_1 | table | admin_role=arw\/admin_role\n(1 row)\n<\/pre><\/div>\n\n\n
As we can see our default privileges have been applied. And as our admins are members of the admin_role you’d think they would be able to read each others tables freely.
That is not right, as the privileges have been granted to the admin_role and not directly to the admin users.<\/p>\n\n\n\n
Correct way to use a group role<\/h2>\n\n\n\n
To have the desired privileges apply correctly the tables have to be created by the admin_role instead of on of the admin users.
So let’s create a new table as the admin_role and check if we can read that table as an admin user<\/p>\n\n\n
\nrole_privileges=&gt; set role admin_role ;\nSET\nrole_privileges=&gt; create table schema_1.admin_role_random as select s, md5(random()::text) from generate_Series(1,2) s;\nSELECT 2\nrole_privileges=&gt; \\q\npsql -U admin_2 -d role_privileges;\nrole_privileges=&gt; select * from schema_1.admin_role_random ;\ns | md5\n---+----------------------------------\n1 | 4f9f6030e61c810d94e18db2bc167c6b\n2 | 91b7c3d7f79aee9e5273adc387267e58\n(2 rows)\nrole_privileges=&gt; \\q\npsql -U admin_1 -d role_privileges;\n\nrole_privileges=&gt; select * from schema_1.admin_role_random ;\ns | md5\n---+----------------------------------\n1 | 4f9f6030e61c810d94e18db2bc167c6b\n2 | 91b7c3d7f79aee9e5273adc387267e58\n(2 rows)\n<\/pre><\/div>\n\n\n
Very nice, now that is the expected behavior. Both admins are able to read the newly created table. <\/p>\n\n\n\n
The permissions also show the ownership of admin_role. Just to make it clear the attributes of the first table are displayed as well.<\/p>\n\n\n
\nrole_privileges=&gt; \\dt schema_1.admin_role_random\n                 List of relations\n  Schema  |       Name        | Type  |   Owner\n----------+-------------------+-------+------------\n schema_1 | admin_role_random | table | admin_role\n(1 row)\n\nrole_privileges=&gt; \\dt schema_1.admin_1_random\n              List of relations\n  Schema  |      Name      | Type  |  Owner\n----------+----------------+-------+---------\n schema_1 | admin_1_random | table | admin_1\n(1 row)\n<\/pre><\/div>\n\n\n
If you use a role to group users that will create tables these will have to created with the role itself. <\/p>\n\n\n\n
If you are looking for an easy way to configure a role to be able to read everything in a database, you should check out pg_read_all_data<\/a> defined role which is available from PostgreSQL 14+ <\/p>\n","protected":false},"excerpt":{"rendered":"
Having multiple users but don’t want them to use the same account?In such a case you can use a role to group your users together.And even better you can set default privileges for that role before creating anything important in your database to have your access privileges setup right from the get go!In PostgreSQL terms […]<\/p>\n","protected":false},"author":53,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[198,83],"tags":[2602],"type_dbi":[2749],"class_list":["post-28634","post","type-post","status-publish","format-standard","hentry","category-database-management","category-postgresql","tag-postgresql-2","type-postgresql"],"acf":[],"yoast_head":"\nPostgreSQL: Managing multiple "users" with roles - dbi Blog<\/title>\n<meta name=\"description\" content=\"Having multiple users in your PostgreSQL database, but don't want them to use the same account? In such a case you can use roles to group your users together. And even better you can set default privileges for these roles before creating anything important in your database to have your access privileges setup right from the get go!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PostgreSQL: Managing multiple "users" with roles\" \/>\n<meta property=\"og:description\" content=\"Having multiple users in your PostgreSQL database, but don't want them to use the same account? In such a case you can use roles to group your users together. And even better you can set default privileges for these roles before creating anything important in your database to have your access privileges setup right from the get go!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-17T06:54:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-15T10:04:58+00:00\" \/>\n<meta name=\"author\" content=\"Daniel Burgert\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Burgert\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/\"},\"author\":{\"name\":\"Daniel Burgert\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/2b718a1932b49a1889d67f9a86a89049\"},\"headline\":\"PostgreSQL: Managing multiple “users” with roles\",\"datePublished\":\"2023-10-17T06:54:39+00:00\",\"dateModified\":\"2023-12-15T10:04:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/\"},\"wordCount\":475,\"commentCount\":2,\"keywords\":[\"postgresql\"],\"articleSection\":[\"Database management\",\"PostgreSQL\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/\",\"name\":\"PostgreSQL: Managing multiple \\\"users\\\" with roles - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\"},\"datePublished\":\"2023-10-17T06:54:39+00:00\",\"dateModified\":\"2023-12-15T10:04:58+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/2b718a1932b49a1889d67f9a86a89049\"},\"description\":\"Having multiple users in your PostgreSQL database, but don't want them to use the same account? In such a case you can use roles to group your users together. And even better you can set default privileges for these roles before creating anything important in your database to have your access privileges setup right from the get go!\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/postgresql-managing-multiple-users-with-roles\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PostgreSQL: Managing multiple “users” with roles\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/2b718a1932b49a1889d67f9a86a89049\",\"name\":\"Daniel Burgert\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/588e7739ac2dce782acd95efdd53318b7fd00590c5bfadf19520a9ab57003e31?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/588e7739ac2dce782acd95efdd53318b7fd00590c5bfadf19520a9ab57003e31?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/588e7739ac2dce782acd95efdd53318b7fd00590c5bfadf19520a9ab57003e31?s=96&d=mm&r=g\",\"caption\":\"Daniel Burgert\"},\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/author\\\/daniel-burgert\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PostgreSQL: Managing multiple \"users\" with roles - dbi Blog","description":"Having multiple users in your PostgreSQL database, but don't want them to use the same account? In such a case you can use roles to group your users together. And even better you can set default privileges for these roles before creating anything important in your database to have your access privileges setup right from the get go!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/","og_locale":"en_US","og_type":"article","og_title":"PostgreSQL: Managing multiple \"users\" with roles","og_description":"Having multiple users in your PostgreSQL database, but don't want them to use the same account? In such a case you can use roles to group your users together. And even better you can set default privileges for these roles before creating anything important in your database to have your access privileges setup right from the get go!","og_url":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/","og_site_name":"dbi Blog","article_published_time":"2023-10-17T06:54:39+00:00","article_modified_time":"2023-12-15T10:04:58+00:00","author":"Daniel Burgert","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Daniel Burgert","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/"},"author":{"name":"Daniel Burgert","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/2b718a1932b49a1889d67f9a86a89049"},"headline":"PostgreSQL: Managing multiple “users” with roles","datePublished":"2023-10-17T06:54:39+00:00","dateModified":"2023-12-15T10:04:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/"},"wordCount":475,"commentCount":2,"keywords":["postgresql"],"articleSection":["Database management","PostgreSQL"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/","url":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/","name":"PostgreSQL: Managing multiple \"users\" with roles - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2023-10-17T06:54:39+00:00","dateModified":"2023-12-15T10:04:58+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/2b718a1932b49a1889d67f9a86a89049"},"description":"Having multiple users in your PostgreSQL database, but don't want them to use the same account? In such a case you can use roles to group your users together. And even better you can set default privileges for these roles before creating anything important in your database to have your access privileges setup right from the get go!","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/postgresql-managing-multiple-users-with-roles\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"PostgreSQL: Managing multiple “users” with roles"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/2b718a1932b49a1889d67f9a86a89049","name":"Daniel Burgert","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/588e7739ac2dce782acd95efdd53318b7fd00590c5bfadf19520a9ab57003e31?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/588e7739ac2dce782acd95efdd53318b7fd00590c5bfadf19520a9ab57003e31?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/588e7739ac2dce782acd95efdd53318b7fd00590c5bfadf19520a9ab57003e31?s=96&d=mm&r=g","caption":"Daniel Burgert"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/daniel-burgert\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/28634","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=28634"}],"version-history":[{"count":18,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/28634\/revisions"}],"predecessor-version":[{"id":28652,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/28634\/revisions\/28652"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=28634"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=28634"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=28634"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=28634"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}