104

I know there are other threads that are similar, but I am not sure if they are relevant to Postgres.

I am reading the PostgreSQL documentation which it reads as follows:

Note: As explained in Chapter 20, PostgreSQL actually does privilege management in terms of "roles". In this chapter, we consistently use database user to mean "role with the LOGIN privilege".

Does this basically mean a role is a database user? Or is there a difference between a role and a user? Do users have the potential to not have full privileges while roles are users who always do have full privileges?

Improve this question
1
  • 7
    From the manual "CREATE USER is now an alias for CREATE ROLE. The only difference is that when the command is spelled CREATE USER, LOGIN is assumed by default, whereas NOLOGIN is assumed when the command is spelled CREATE ROLE"
    – user330315
    Commented May 29, 2017 at 6:16

2 Answers 2

Reset to default
126

Previous versions of Postgres, and some other DB systems, have separate concepts of "groups" (which are granted access to database objects) and "users" (who can login, and are members of one or more groups).

In modern versions of Postgres, the two concepts have been merged: a "role" can have the ability to login, the ability to "inherit" from other roles (like a user being a member of a group, or a group being a member of another group), and access to database objects.

For convenience, many tools and manuals refer to any user with login permission as a "user" or "login role", and any without as a "group" or "group role", since it is useful and common practice to keep roughly to that structure. This is entirely a convention of terminology, and to understand the permissions, you need only understand the options available when creating roles and granting them access.

Again purely for convenience, Postgres still accepts commands using the old terminology, such as CREATE USER and CREATE GROUP which are both aliases for CREATE ROLE. If you write CREATE USER, the LOGIN permission will be added to the new role by default, to emulate the old behaviour when that was a separate command.

Improve this answer
2
  • 2
    I know this is an old question, but can roles and users be seen as users and groups like in Unix systems?
    – CybeX
    Commented May 4, 2017 at 13:07
  • 4
    @KGCybeX The older concept of "users" and "groups" can be seen very similar to the same terms in Unix, and it's conventional to keep that distinction. But a "role" in newer versions can act like either a user or a group - or both - so the analogy isn't that useful. A better analogy is an inheritance hierarchy: you log in with a role, and get any permissions granted directly to that role, plus permissions it inherits from other roles, plus permissions those roles inherit from other roles, etc.
    – IMSoP
    Commented May 4, 2017 at 13:40
1

As explained in AWS documentation,

Users, groups, and roles are the same thing in PostgreSQL, with the only difference being that users have permission to log in by default. The CREATE USER and CREATE GROUP statements are actually aliases for the CREATE ROLE statement.

User and Role relationship diagram

In other relational database management systems (RDBMS) like Oracle, users and roles are two different entities. In Oracle, a role cannot be used to log in to the database. The roles are used only to group grants and other roles. This role can then be assigned to one or more users to grant them all the permissions. For more details with a focus on how to migrate users, roles, and grants from Oracle to PostgreSQL, see the AWS blog post Use SQL to map users, roles, and grants from Oracle to PostgreSQL.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.