alter_role(7)

1ALTER ROLE()                     SQL Commands                     ALTER ROLE()
2
3
4

NAME

6       ALTER ROLE - change a database role
7
8

SYNOPSIS

10       ALTER ROLE name [ [ WITH ] option [ ... ] ]
11
12       where option can be:
13
14             SUPERUSER | NOSUPERUSER
15           | CREATEDB | NOCREATEDB
16           | CREATEROLE | NOCREATEROLE
17           | CREATEUSER | NOCREATEUSER
18           | INHERIT | NOINHERIT
19           | LOGIN | NOLOGIN
20           | CONNECTION LIMIT connlimit
21           | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
22           | VALID UNTIL 'timestamp'
23
24       ALTER ROLE name RENAME TO newname
25
26       ALTER ROLE name SET configuration_parameter { TO | = } { value | DEFAULT }
27       ALTER ROLE name RESET configuration_parameter
28
29

DESCRIPTION

31       ALTER ROLE changes the attributes of a PostgreSQL role.
32
33       The  first  variant  of  this command listed in the synopsis can change
34       many of the role attributes that can be specified in CREATE ROLE  [cre‐
35       ate_role(7)].   (All  the  possible attributes are covered, except that
36       there are no options for adding  or  removing  memberships;  use  GRANT
37       [grant(7)]  and REVOKE [revoke(7)] for that.)  Attributes not mentioned
38       in the command retain their previous settings.  Database superusers can
39       change  any  of  these  settings for any role.  Roles having CREATEROLE
40       privilege can change any of these settings, but only for  non-superuser
41       roles.  Ordinary roles can only change their own password.
42
43       The  second  variant changes the name of the role.  Database superusers
44       can rename any role.  Roles having CREATEROLE privilege can rename non-
45       superuser roles.  The current session user cannot be renamed.  (Connect
46       as a different user if you need to  do  that.)   Because  MD5-encrypted
47       passwords  use  the  role  name  as cryptographic salt, renaming a role
48       clears its password if the password is MD5-encrypted.
49
50       The third and the fourth variant change a role's session default for  a
51       specified configuration variable. Whenever the role subsequently starts
52       a new session, the specified value becomes the session  default,  over‐
53       riding  whatever  setting  is  present  in  postgresql.conf or has been
54       received from the postgres command line.  (For  a  role  without  LOGIN
55       privilege, session defaults have no effect.)  Ordinary roles can change
56       their own session defaults.  Superusers  can  change  anyone's  session
57       defaults.   Roles  having  CREATEROLE privilege can change defaults for
58       non-superuser roles.  Certain variables cannot be set this way, or  can
59       only be set if a superuser issues the command.
60

PARAMETERS

62       name   The name of the role whose attributes are to be altered.
63
64       SUPERUSER
65
66       NOSUPERUSER
67
68       CREATEDB
69
70       NOCREATEDB
71
72       CREATEROLE
73
74       NOCREATEROLE
75
76       CREATEUSER
77
78       NOCREATEUSER
79
80       INHERIT
81
82       NOINHERIT
83
84       LOGIN
85
86       NOLOGIN
87
88       CONNECTION LIMIT connlimit
89
90       PASSWORD password
91
92       ENCRYPTED
93
94       UNENCRYPTED
95
96       VALID UNTIL 'timestamp'
97              These  clauses  alter  attributes  originally set by CREATE ROLE
98              [create_role(7)]. For more information, see the CREATE ROLE ref‐
99              erence page.
100
101       newname
102              The new name of the role.
103
104       configuration_parameter
105
106       value  Set  this role's session default for the specified configuration
107              parameter to the given value. If value is  DEFAULT  or,  equiva‐
108              lently,  RESET  is  used,  the role-specific variable setting is
109              removed, so the role will inherit the system-wide  default  set‐
110              ting  in  new sessions. Use RESET ALL to clear all role-specific
111              settings.
112
113              See SET [set(7)] and in the documentation for  more  information
114              about allowed parameter names and values.
115

NOTES

117       Use  CREATE  ROLE  [create_role(7)]  to  add  new  roles, and DROP ROLE
118       [drop_role(7)] to remove a role.
119
120       ALTER ROLE cannot change a role's memberships.   Use  GRANT  [grant(7)]
121       and REVOKE [revoke(7)] to do that.
122
123       Caution  must be exercised when specifying an unencrypted password with
124       this command. The password will be transmitted to the server in cleart‐
125       ext, and it might also be logged in the client's command history or the
126       server log. psql [psql(1)] contains a command  \password  that  can  be
127       used to safely change a role's password.
128
129       It  is  also  possible  to tie a session default to a specific database
130       rather than to a role; see ALTER DATABASE  [alter_database(7)].   Role-
131       specific  settings  override  database-specific ones if there is a con‐
132       flict.
133

EXAMPLES

135       Change a role's password:
136
137       ALTER ROLE davide WITH PASSWORD 'hu8jmn3';
138
139
140       Change a password expiration date, specifying that the password  should
141       expire  at midday on 4th May 2015 using the time zone which is one hour
142       ahead of UTC:
143
144       ALTER ROLE chris VALID UNTIL 'May 4 12:00:00 2015 +1';
145
146
147       Make a password valid forever:
148
149       ALTER ROLE fred VALID UNTIL 'infinity';
150
151
152       Give a role the ability to create other roles and new databases:
153
154       ALTER ROLE miriam CREATEROLE CREATEDB;
155
156
157       Give a role a non-default setting of the  maintenance_work_mem  parame‐
158       ter:
159
160       ALTER ROLE worker_bee SET maintenance_work_mem = 100000;
161
162

COMPATIBILITY

164       The ALTER ROLE statement is a PostgreSQL extension.
165