6
Group roles
Granting group membership to a role
student=> GRANT dba TO alice;
Revoking group membership from a role
student=> REVOKE dba FROM alice;
Group role membership control
any role can grant membership in itself to another role
a role with the SUPERUSER attribute can grant membership
in any role to any role
a role with the CREATEROLE attribute can grant membership
in any non-superuser role to any role
student alice
dba
dba
alice
A role can be granted membership in another role, just as a Unix user can
be included in a group.
PostgreSQL does not distinguish between user roles and group roles,
allowing any role to be a member of any other. Cascading grants may occur,
unless they result in a cycle.
When a role is granted membership in another role, it obtains access to all
the attributes (and privileges, more on them later) of the group role. The
inclusion done with the GRANT command.
The role that executes the GRANT command is paramount. The roles that
may grant (or revoke) membership in a given role are:
●
the role itself,
●
roles with the SUPERUSER attribute,
●
roles with the CREATEROLE attribute (as long as the given role is not a
superuser).
To take advantage of the newly acquired properties, you must first switch to
the role by using the SET ROLE command.