pg_authid contains information about database authorization identifiers (roles). A role subsumes the concepts of “users” and “groups”. A user is essentially just a role with the
rolcanlogin flag set. Any role (with or without
rolcanlogin) can have other roles as members; see
Since this catalog contains passwords, it must not be publicly readable.
pg_roles is a publicly readable view on
pg_authid that blanks out the password field.
Chapter 20 contains detailed information about user and privilege management.
Because user identities are cluster-wide,
pg_authid is shared across all databases of a cluster: there is only one copy of
pg_authid per cluster, not one per database.
|Row identifier (hidden attribute; must be explicitly selected)|
|Role has superuser privileges|
|Role automatically inherits privileges of roles it is a member of|
|Role can create more roles|
|Role can create databases|
|Role can log in. That is, this role can be given as the initial session authorization identifier.|
|Role is a replication role. A replication role can initiate replication connections and create and drop replication slots.|
|Role bypasses every row level security policy, see Section 5.7 for more information.|
|For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit.|
| Password (possibly encrypted); null if none. If the password is encrypted, this column will begin with the string |
|Password expiry time (only used for password authentication); null if no expiration|