Code Reference

Roles & Privileges

Postgres · Reference cheat sheet

Roles & Privileges

Postgres · Reference cheat sheet


📋 Overview

Postgres uses roles for authentication and authorization. Prefer least privilege: separate owner, migrator, and runtime app roles.

🔧 Core concepts

ConceptMeaning
LOGIN roleCan connect (user)
NOLOGIN roleGroup / ownership bucket
GRANT / REVOKEPrivilege changes
SEARCH_PATHSchema resolution order
Row Level SecurityPer-row policies (advanced)
PrivilegeTypical on tables
SELECTRead
INSERT / UPDATE / DELETEWrite
TRUNCATEFast empty
REFERENCESFK creation
USAGE on schemaSee objects in schema

💡 Examples

Create app role:

CREATE ROLE app_login LOGIN PASSWORD 'change-me';
CREATE ROLE app_owner NOLOGIN;
GRANT app_owner TO migrator; -- migrator assumes ownership duties

Grants:

GRANT USAGE ON SCHEMA public TO app_login;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_login;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO app_login;

Inspect:

\du
SELECT * FROM information_schema.role_table_grants WHERE grantee = 'app_login';

⚠️ Pitfalls

  • Objects created by superuser may not grant to app roles unless ALTER DEFAULT PRIVILEGES is set.
  • Public schema open grants are a common over-exposure.
  • Rotating passwords in URLs requires updating all poolers/clients.

On this page