The catalog pg_authid contains information about
database authorization identifiers (roles). A role subsumes the concepts
of "users" and "groups". A user is essentially just a
role with the rolcanlogin flag set. Any role (with or
without rolcanlogin) can have other roles as members; see
pg_auth_members.
Since this catalog contains passwords, it must not be publicly readable.
pg_roles
is a publicly readable view on
pg_authid that blanks out the password field.
Chapter 19 contains detailed information about user and
privilege management.
Because user identities are cluster-wide,
pg_authid
is shared across all databases of a cluster: there is only one
copy of pg_authid per cluster, not
one per database.
Table 44-8. pg_authid Columns
| Name | Type | Description |
|---|
| rolname | name | Role name |
| rolsuper | bool | Role has superuser privileges |
| rolinherit | bool | Role automatically inherits privileges of roles it is a
member of |
| rolcreaterole | bool | Role can create more roles |
| rolcreatedb | bool | Role can create databases |
| rolcatupdate | bool | Role can update system catalogs directly. (Even a superuser cannot do
this unless this column is true)
|
| rolcanlogin | bool | Role can log in. That is, this role can be given as the initial
session authorization identifier
|
| rolconnlimit | int4 | For roles that can log in, this sets maximum number of concurrent
connections this role can make. -1 means no limit
|
| rolpassword | text | Password (possibly encrypted); NULL if none |
| rolvaliduntil | timestamptz | Password expiry time (only used for password authentication);
NULL if no expiration |
| rolconfig | text[] | Session defaults for run-time configuration variables |
