The catalog pg_authid contains information about database authorization identifiers (roles). A role subsumes the concepts of "users" and "groups". A user is essentially just a role with the rolcanlogin flag set. Any role (with or without rolcanlogin) may have other roles as members; see
pg_auth_members
.
Since this catalog contains passwords, it must not be publicly readable.
pg_roles
is a publicly readable view on pg_authid that blanks out the password field.
Chapter 18 contains detailed information about user and privilege management.
Because user identities are cluster-wide, pg_authid is shared across all databases of a cluster: there is only one copy of pg_authid per cluster, not one per database.
Table 42-8. pg_authid Columns
| Name |
Type |
References |
Description |
|
rolname
|
name
|
|
Role name |
|
rolsuper
|
bool
|
|
Role has superuser privileges |
|
rolinherit
|
bool
|
|
Role automatically inherits privileges of roles it is a member of |
|
rolcreaterole
|
bool
|
|
Role may create more roles |
|
rolcreatedb
|
bool
|
|
Role may create databases |
|
rolcatupdate
|
bool
|
|
Role may update system catalogs directly. (Even a superuser may not do this unless this column is true.) |
|
rolcanlogin
|
bool
|
|
Role may log in, that is, this role can be given as the initial session authorization identifier. |
|
rolconnlimit
|
int4
|
|
For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit. |
|
rolpassword
|
text
|
|
Password (possibly encrypted); NULL if none |
|
rolvaliduntil
|
timestamptz
|
|
Password expiry time (only used for password authentication); NULL if no expiration |
|
rolconfig
|
text[]
|
|
Session defaults for run-time configuration variables |
