superuser
role attribute and the pg_execute_server_program
, pg_read_server_files
, and pg_write_server_files
roles for you to use. However, as some operations require the superuser
role, TencentDB for PostgreSQL provides the pg_tencentdb_superuser
to replace superuser
.Permission | Description |
CREATEDB | Create a database. |
BYPASSRLS | Bypass all row-level security policy checks. |
REPLICATION | Have the REPLICATION permission by default, and allow granting the REPLICATION permission to other users. |
CREATEROLE | Have the same CREATEROLE permission as the community edition, except that the role cannot create the pg_read_server_files, pg_write_server_files, and pg_execute_server_program roles. |
Object | Description |
database | By default, have the permissions of all databases not owned by a a superuser. |
schema | By default, have the permissions of all schemas not owned by a superuser. |
table/sequence | By default, have the permissions of all tables/sequences not owned by a a superuser. |
function | By default, have the permissions of all functions not owned by a superuser. |
language | No permissions. |
tablespace | No permissions. |
FDW/foreign server | By default, have the permissions of all FDWs/foreign servers not owned by a a superuser. |
TYPE | By default, have the permissions of all TYPEs not owned by a superuser. |
pg_tencentdb_superuser
is temporarily escalated to superuser and passes all permission checks. pgstat_get_backend_current_activity
function to view deadlock details, so that users can easily troubleshoot deadlocks themselves.pg_signal_backend
function is restricted, and processes of the pg_tencentdb_superuser
role can only be killed by itself.CREATE USER name [ [ WITH ] option [ ... ] ]where option can be:SUPERUSER | NOSUPERUSER| CREATEDB | NOCREATEDB| CREATEROLE | NOCREATEROLE| INHERIT | NOINHERIT| LOGIN | NOLOGIN| REPLICATION | NOREPLICATION| BYPASSRLS | NOBYPASSRLS| CONNECTION LIMIT connlimit| [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL| VALID UNTIL 'timestamp'| IN ROLE role_name [, ...]| IN GROUP role_name [, ...]| ROLE role_name [, ...]| ADMIN role_name [, ...]| USER role_name [, ...]| SYSID uid
CREATE ROLE name [ [ WITH ] option [ ... ] ]where option can be:SUPERUSER | NOSUPERUSER| CREATEDB | NOCREATEDB| CREATEROLE | NOCREATEROLE| INHERIT | NOINHERIT| LOGIN | NOLOGIN| REPLICATION | NOREPLICATION| BYPASSRLS | NOBYPASSRLS| CONNECTION LIMIT connlimit| [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL| VALID UNTIL 'timestamp'| IN ROLE role_name [, ...]| IN GROUP role_name [, ...]| ROLE role_name [, ...]| ADMIN role_name [, ...]| USER role_name [, ...]| SYSID uid
ALTER ROLE role_specification [ WITH ] option [ ... ]where option can be:SUPERUSER | NOSUPERUSER| CREATEDB | NOCREATEDB| CREATEROLE | NOCREATEROLE| INHERIT | NOINHERIT| LOGIN | NOLOGIN| REPLICATION | NOREPLICATION| BYPASSRLS | NOBYPASSRLS| CONNECTION LIMIT connlimit| [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL| VALID UNTIL 'timestamp'
# Syntax exampleGRANT <privilege> on <object> to <role>;
# Syntax exampleREVOKE <privilege> ON <object> FROM <role>;
# Syntax exampleGRANT <role name> to <another role>;
Was this page helpful?