File: sql-set-role.html

package info (click to toggle)
pgadmin3 1.4.3-2
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 29,796 kB
  • ctags: 10,758
  • sloc: cpp: 55,356; sh: 6,164; ansic: 1,520; makefile: 576; sql: 482; xml: 100; perl: 18
file content (107 lines) | stat: -rw-r--r-- 5,160 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>SET ROLE</title>
<link rel="stylesheet" href="stylesheet.css" type="text/css">
<link rev="made" href="pgsql-docs@postgresql.org">
<meta name="generator" content="DocBook XSL Stylesheets V1.70.0">
<link rel="start" href="index.html" title="PostgreSQL 8.1.4 Documentation">
<link rel="up" href="sql-commands.html" title="SQL Commands">
<link rel="prev" href="sql-set-constraints.html" title="SET CONSTRAINTS">
<link rel="next" href="sql-set-session-authorization.html" title="SET SESSION AUTHORIZATION">
<link rel="copyright" href="ln-legalnotice.html" title="Legal Notice">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="sql-set-role"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>SET ROLE &#8212; set the current user identifier of the current session</p>
</div>
<a name="id788019"></a><div class="refsynopsisdiv">
<h2>Synopsis</h2>
<pre class="synopsis">SET [ SESSION | LOCAL ] ROLE <em class="replaceable"><code>rolename</code></em>
SET [ SESSION | LOCAL ] ROLE NONE
RESET ROLE</pre>
</div>
<div class="refsect1" lang="en">
<a name="id788043"></a><h2>Description</h2>
<p>   This command sets the current user
   identifier of the current SQL-session context to be <em class="replaceable"><code>rolename</code></em>.  The role name may be
   written as either an identifier or a string literal.
   After <code class="command">SET ROLE</code>, permissions checking for SQL commands
   is carried out as though the named role were the one that had logged
   in originally.
  </p>
<p>   The specified <em class="replaceable"><code>rolename</code></em>
   must be a role that the current session user is a member of.
   (If the session user is a superuser, any role can be selected.)
  </p>
<p>   The <code class="literal">SESSION</code> and <code class="literal">LOCAL</code> modifiers act the same
   as for the regular <a href="sql-set.html">SET</a>
   command.
  </p>
<p>   The <code class="literal">NONE</code> and <code class="literal">RESET</code> forms reset the current
   user identifier to be the current session user identifier.
   These forms may be executed by any user.
  </p>
</div>
<div class="refsect1" lang="en">
<a name="id788124"></a><h2>Notes</h2>
<p>   Using this command, it is possible to either add privileges or restrict
   one's privileges.  If the session user role has the <code class="literal">INHERITS</code>
   attribute, then it automatically has all the privileges of every role that
   it could <code class="command">SET ROLE</code> to; in this case <code class="command">SET ROLE</code>
   effectively drops all the privileges assigned directly to the session user
   and to the other roles it is a member of, leaving only the privileges
   available to the named role.  On the other hand, if the session user role
   has the <code class="literal">NOINHERITS</code> attribute, <code class="command">SET ROLE</code> drops the
   privileges assigned directly to the session user and instead acquires the
   privileges available to the named role.
  </p>
<p>   In particular, when a superuser chooses to <code class="command">SET ROLE</code> to a
   non-superuser role, she loses her superuser privileges.
  </p>
<p>   <code class="command">SET ROLE</code> has effects comparable to
   <a href="sql-set-session-authorization.html">SET SESSION AUTHORIZATION</a>, but the privilege
   checks involved are quite different.  Also,
   <code class="command">SET SESSION AUTHORIZATION</code> determines which roles are
   allowable for later <code class="command">SET ROLE</code> commands, whereas changing
   roles with <code class="command">SET ROLE</code> does not change the set of roles
   allowed to a later <code class="command">SET ROLE</code>.
  </p>
</div>
<div class="refsect1" lang="en">
<a name="id788238"></a><h2>Examples</h2>
<pre class="programlisting">SELECT SESSION_USER, CURRENT_USER;

 session_user | current_user 
--------------+--------------
 peter        | peter

SET ROLE 'paul';

SELECT SESSION_USER, CURRENT_USER;

 session_user | current_user 
--------------+--------------
 peter        | paul</pre>
</div>
<div class="refsect1" lang="en">
<a name="id788251"></a><h2>Compatibility</h2>
<p>   <span class="productname">PostgreSQL</span>
   allows identifier syntax (<code class="literal">"rolename"</code>), while
   the SQL standard requires the role name to be written as a string
   literal.  SQL does not allow this command during a transaction;
   <span class="productname">PostgreSQL</span> does not make this
   restriction because there is no reason to.
   The <code class="literal">SESSION</code> and <code class="literal">LOCAL</code> modifiers are a
   <span class="productname">PostgreSQL</span> extension, as is the
   <code class="literal">RESET</code> syntax.
  </p>
</div>
<div class="refsect1" lang="en">
<a name="id788309"></a><h2>See Also</h2>
<span class="simplelist"><a href="sql-set-session-authorization.html">SET SESSION AUTHORIZATION</a></span>
</div>
</div></body>
</html>