1ALTER ROLE(7) PostgreSQL 13.4 Documentation ALTER ROLE(7)
2
3
4
6 ALTER_ROLE - change a database role
7
9 ALTER ROLE role_specification [ WITH ] option [ ... ]
10
11 where option can be:
12
13 SUPERUSER | NOSUPERUSER
14 | CREATEDB | NOCREATEDB
15 | CREATEROLE | NOCREATEROLE
16 | INHERIT | NOINHERIT
17 | LOGIN | NOLOGIN
18 | REPLICATION | NOREPLICATION
19 | BYPASSRLS | NOBYPASSRLS
20 | CONNECTION LIMIT connlimit
21 | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
22 | VALID UNTIL 'timestamp'
23
24 ALTER ROLE name RENAME TO new_name
25
26 ALTER ROLE { role_specification | ALL } [ IN DATABASE database_name ] SET configuration_parameter { TO | = } { value | DEFAULT }
27 ALTER ROLE { role_specification | ALL } [ IN DATABASE database_name ] SET configuration_parameter FROM CURRENT
28 ALTER ROLE { role_specification | ALL } [ IN DATABASE database_name ] RESET configuration_parameter
29 ALTER ROLE { role_specification | ALL } [ IN DATABASE database_name ] RESET ALL
30
31 where role_specification can be:
32
33 role_name
34 | CURRENT_USER
35 | SESSION_USER
36
38 ALTER ROLE changes the attributes of a PostgreSQL role.
39
40 The first variant of this command listed in the synopsis can change
41 many of the role attributes that can be specified in CREATE ROLE
42 (CREATE_ROLE(7)). (All the possible attributes are covered, except that
43 there are no options for adding or removing memberships; use GRANT(7)
44 and REVOKE(7) for that.) Attributes not mentioned in the command retain
45 their previous settings. Database superusers can change any of these
46 settings for any role. Roles having CREATEROLE privilege can change any
47 of these settings except SUPERUSER, REPLICATION, and BYPASSRLS; but
48 only for non-superuser and non-replication roles. Ordinary roles can
49 only change their own password.
50
51 The second variant changes the name of the role. Database superusers
52 can rename any role. Roles having CREATEROLE privilege can rename
53 non-superuser roles. The current session user cannot be renamed.
54 (Connect as a different user if you need to do that.) Because
55 MD5-encrypted passwords use the role name as cryptographic salt,
56 renaming a role clears its password if the password is MD5-encrypted.
57
58 The remaining variants change a role's session default for a
59 configuration variable, either for all databases or, when the IN
60 DATABASE clause is specified, only for sessions in the named database.
61 If ALL is specified instead of a role name, this changes the setting
62 for all roles. Using ALL with IN DATABASE is effectively the same as
63 using the command ALTER DATABASE ... SET ....
64
65 Whenever the role subsequently starts a new session, the specified
66 value becomes the session default, overriding whatever setting is
67 present in postgresql.conf or has been received from the postgres
68 command line. This only happens at login time; executing SET ROLE
69 (SET_ROLE(7)) or SET SESSION AUTHORIZATION
70 (SET_SESSION_AUTHORIZATION(7)) does not cause new configuration values
71 to be set. Settings set for all databases are overridden by
72 database-specific settings attached to a role. Settings for specific
73 databases or specific roles override settings for all roles.
74
75 Superusers can change anyone's session defaults. Roles having
76 CREATEROLE privilege can change defaults for non-superuser roles.
77 Ordinary roles can only set defaults for themselves. Certain
78 configuration variables cannot be set this way, or can only be set if a
79 superuser issues the command. Only superusers can change a setting for
80 all roles in all databases.
81
83 name
84 The name of the role whose attributes are to be altered.
85
86 CURRENT_USER
87 Alter the current user instead of an explicitly identified role.
88
89 SESSION_USER
90 Alter the current session user instead of an explicitly identified
91 role.
92
93 SUPERUSER
94 NOSUPERUSER
95 CREATEDB
96 NOCREATEDB
97 CREATEROLE
98 NOCREATEROLE
99 INHERIT
100 NOINHERIT
101 LOGIN
102 NOLOGIN
103 REPLICATION
104 NOREPLICATION
105 BYPASSRLS
106 NOBYPASSRLS
107 CONNECTION LIMIT connlimit
108 [ ENCRYPTED ] PASSWORD 'password'
109 PASSWORD NULL
110 VALID UNTIL 'timestamp'
111 These clauses alter attributes originally set by CREATE ROLE
112 (CREATE_ROLE(7)). For more information, see the CREATE ROLE
113 reference page.
114
115 new_name
116 The new name of the role.
117
118 database_name
119 The name of the database the configuration variable should be set
120 in.
121
122 configuration_parameter
123 value
124 Set this role's session default for the specified configuration
125 parameter to the given value. If value is DEFAULT or, equivalently,
126 RESET is used, the role-specific variable setting is removed, so
127 the role will inherit the system-wide default setting in new
128 sessions. Use RESET ALL to clear all role-specific settings. SET
129 FROM CURRENT saves the session's current value of the parameter as
130 the role-specific value. If IN DATABASE is specified, the
131 configuration parameter is set or removed for the given role and
132 database only.
133
134 Role-specific variable settings take effect only at login; SET ROLE
135 (SET_ROLE(7)) and SET SESSION AUTHORIZATION
136 (SET_SESSION_AUTHORIZATION(7)) do not process role-specific
137 variable settings.
138
139 See SET(7) and Chapter 19 for more information about allowed
140 parameter names and values.
141
143 Use CREATE ROLE (CREATE_ROLE(7)) to add new roles, and DROP ROLE
144 (DROP_ROLE(7)) to remove a role.
145
146 ALTER ROLE cannot change a role's memberships. Use GRANT(7) and
147 REVOKE(7) to do that.
148
149 Caution must be exercised when specifying an unencrypted password with
150 this command. The password will be transmitted to the server in
151 cleartext, and it might also be logged in the client's command history
152 or the server log. psql(1) contains a command \password that can be
153 used to change a role's password without exposing the cleartext
154 password.
155
156 It is also possible to tie a session default to a specific database
157 rather than to a role; see ALTER DATABASE (ALTER_DATABASE(7)). If there
158 is a conflict, database-role-specific settings override role-specific
159 ones, which in turn override database-specific ones.
160
162 Change a role's password:
163
164 ALTER ROLE davide WITH PASSWORD 'hu8jmn3';
165
166 Remove a role's password:
167
168 ALTER ROLE davide WITH PASSWORD NULL;
169
170 Change a password expiration date, specifying that the password should
171 expire at midday on 4th May 2015 using the time zone which is one hour
172 ahead of UTC:
173
174 ALTER ROLE chris VALID UNTIL 'May 4 12:00:00 2015 +1';
175
176 Make a password valid forever:
177
178 ALTER ROLE fred VALID UNTIL 'infinity';
179
180 Give a role the ability to create other roles and new databases:
181
182 ALTER ROLE miriam CREATEROLE CREATEDB;
183
184 Give a role a non-default setting of the maintenance_work_mem
185 parameter:
186
187 ALTER ROLE worker_bee SET maintenance_work_mem = 100000;
188
189 Give a role a non-default, database-specific setting of the
190 client_min_messages parameter:
191
192 ALTER ROLE fred IN DATABASE devel SET client_min_messages = DEBUG;
193
195 The ALTER ROLE statement is a PostgreSQL extension.
196
198 CREATE ROLE (CREATE_ROLE(7)), DROP ROLE (DROP_ROLE(7)), ALTER DATABASE
199 (ALTER_DATABASE(7)), SET(7)
200
201
202
203PostgreSQL 13.4 2021 ALTER ROLE(7)