Search
ctrl+/
Ask AI
ctrl+.
Light
Dark
System
Sign in

Roles

This section describes the administrative commands pertaining to roles.

Create role

Create a role.

create superuser role name [ extending base [, ...] ]
"{" subcommand; [...] "}" ;

where subcommand is one of

  set password := password

Description

The command create role defines a new database role.

superuser

If specified, the created role will have the superuser status, and will be exempt from all permission checks (added in 7.0).

Prior to version 7.0, superuser qualifier was mandatory, i.e. it was not possible to create non-superuser roles.

name

The name of the role to create.

extending base [, ...]

If specified, declares the parent roles for this role. The role inherits all the privileges of the parents.

The following subcommands are allowed in the create role block:

set password := password

Set the password for the role.

Added in v7.0
set permissions := permissions

Set permissions (added in 7.0) for the role. Value is a set of identifiers of either built-in permissions or permissions defined in schema.

Roles also gain the permissions of their base Roles.

Roles that are superusers are implicitly granted all permissions, so setting this does not have any effect.

Note that permission names are not validated and it is possible to reference a permission that does not yet exist in any schema.

set branches := branches

Configure a set of branches that this role is allowed to access. When connecting to instance branch that is not in this set, connection will be refused.

If set to '*', this branch can connect to all branches of the instance. Defaults to '*'.

Examples

Create a new role:

Copy
create role alice {
    set password := 'wonderland';
    set permissions := {
      sys::perm::data_modifiction,
      sys::perm::query_stats,
      cfg::perm::configure_timeouts,
      cfg::perm::configure_apply_access_policies,
      ext::auth::perm::auth_read,
      ext::auth::perm::auth_write,
  };
  set branches := {'main', 'staging'};
};

Alter role

Alter an existing role.

alter role name "{" subcommand; [...] "}" ;

where subcommand is one of

  rename to newname
  set password := password
  extending ...

Description

The command alter role changes the settings of an existing role.

name

The name of the role to alter.

The following subcommands are allowed in the alter role block:

rename to newname

Change the name of the role to newname.

extending ...

Alter the role parent list. The full syntax of this subcommand is:

extending name [, ...]
   [ first | last | before parent | after parent ]

This subcommand makes the role a child of the specified list of parent roles. The role inherits all the privileges of the parents.

It is possible to specify the position in the parent list using the following optional keywords:

  • first – insert parent(s) at the beginning of the parent list,

  • last – insert parent(s) at the end of the parent list,

  • before <parent> – insert parent(s) before an existing parent,

  • after <parent> – insert parent(s) after an existing parent.

Added in v7.0
set permissions := permissions

Set permissions (added in 7.0) for the role. Value is a set of identifiers of either built-in permissions or permissions defined in schema.

Roles that are superusers are implicitly granted all permissions, so setting this does not have any effect.

Note that permission names are not validated and it is possible to reference a permission that does not yet exist in the schema.

set branches := branches

Configure a set of branches that this role is allowed to access. When connecting to instance branch that is not in this set, connection will be refused.

If set to '*', this branch can connect to all branches of the instance. Defaults to '*'.

Examples

Alter a role:

Copy
alter role alice {
    set password := 'new password';
    set branches := {'*'};
};

Drop role

Remove a role.

drop role name ;

Description

The command drop role removes an existing role.

Examples

Remove a role:

Copy
drop role alice;