11 Apr 2024 · 43 minute read
By Raminder Singh, Engineering
Controlling access to data in Postgres is paramount for data security. Postgres provides a robust and flexible permissions model for users to manage access to their data. The permissions model is based on the familiar object, privilege, role model but has subtleties which must be understood by a database administrator to create airtight access.
Database Object - Any entity created in the database. Tables, foreign tables, views, materialized views, types, domains, operators, functions, triggers etc. are database objects.
Privilege - Controls what operation is allowed to be run on a database object. For example, the select privilege on a table controls the ability to read data from the table.
Role - A user or a group. A user is someone who can login to the database. A group is a collection of users to make it easier to manage privileges for users. Unlike a user, a group can't login to the database.
Owner - Every database object has an owner. The owner has complete control over the object. They can modify or delete the object or grant privileges to other users and groups.
Create users with login capability:
create role junior_dev login password 'password';
create role senior_dev login password 'password';
Create groups (roles without login):
create role developers nologin;
Grant privileges on objects:
grant create on schema public to junior_dev;
grant select on table public.apps to senior_dev;
Grant privileges with the option to grant to others:
grant select on public.apps to postgres with grant option;
Revoke privileges:
revoke select on public.apps from senior_dev;
Add users to groups:
grant developers to junior_dev;
grant developers to senior_dev;
Users can impersonate groups they are members of:
set role developers;
reset role;
Revoke group membership:
revoke developers from senior_dev;
Control group membership abilities with options:
set - ability to impersonate the groupinherit - ability to inherit permissions from the groupadmin - ability to add/remove other users from the groupgrant developers to junior_dev with admin option;
Set default privileges for future objects:
alter default privileges in schema public grant select on tables to senior_dev;
View default privileges:
\ddp public
Common role attributes:
login - controls the role's ability to loginsuperuser - controls whether the role is a superusercreatedb - controls whether the role can create databasescreaterole - controls whether the role can create other rolesreplication - controls whether the role can initiate replicationbypassrls - controls whether the role can bypass row level securityconnection limit - limits maximum number of connectionsinherit - controls whether the role can inherit permissions from other rolesSuperuser - A role with the superuser attribute set. Very powerful and bypasses all privilege checks except authentication. Should be used with care. Only superusers can create other superuser roles.
Public - A group role which every other role is automatically a part of. Used to provide common privileges. Can't be deleted, but its privileges can be revoked. Provides default privileges:
connect - ability to connect to the databasetemporary - ability to create temporary tablesexecute - ability to execute functionsusage - ability to use objects like domains, languages or typesA role's privileges are the union of:
public role (implicit membership)public role is a role which every other role is implicitly a member ofsuperuser roles bypass all privilege checks and should be used with caregrant command only grants privileges on existing objectsFetched March 31, 2026