Role Manager

Top Previous Next

Role Manager allows you to add, edit and delete Roles within the diagram. To open Role Manager, select the Diagram | Role Manager menu item.

Role is a virtual object of a diagram and has no graphical representation. After defining a Role, it appears in the object editors, so that you could attach other diagram objects to it.

Roles tab

Role Manager contains a grid that represents Roles available in the diagram and their properties. The Role properties you can change in the grid are as follows:

Role name

The name of a Role to be created. The name cannot begin with pg_, as such names are reserved for system Roles.


Only roles that have the LOGIN attribute can be used as the initial role name for a database connection. A role with the LOGIN attribute can be considered the same thing as a "database user".


These option determine whether a role "inherits" the privileges of roles it is a member of. A role with the INHERIT attribute can automatically use whatever database privileges have been granted to all roles it is directly or indirectly a member of. Without INHERIT, membership in another role only grants the ability to SET ROLE to that other role; the privileges of the other role are only available after having done so.

note The INHERIT attribute governs inheritance of grantable privileges (that is, access privileges for database objects and role memberships). It does not apply to the special role attributes set by CREATE ROLE and ALTER ROLE. For example, being a member of a role with CREATEDB privilege does not immediately grant the ability to create databases, even if INHERIT is set.

Connection Limit

If role can log in, this specifies how many concurrent connections the role can make. -1 (the default) means no limit.

note The CONNECTION LIMIT option is only enforced approximately; if two new sessions start at about the same time when just one connection “slot” remains for the role, it is possible that both will fail. Also, the limit is never enforced for superusers.


A database superuser bypasses all permission checks. This is a dangerous privilege and should not be used carelessly; it is best to do most of your work as a role that is not a superuser. You must do this as a role that is already a superuser.

Create DB

A role must be explicitly given permission to create databases (except for superusers, since those bypass all permission checks).

Create Role

A role must be explicitly given permission to create more roles (except for superusers, since those bypass all permission checks). A role with CREATEROLE privilege can alter and drop other roles, too, as well as grant or revoke membership in them. However, to create, alter, drop, or change membership of a superuser role, superuser status is required; CREATEROLE is not sufficient for that.

tip Be careful with the CREATEROLE privilege. There is no concept of inheritance for the privileges of a CREATEROLE-role. That means that even if a role does not have a certain privilege but is allowed to create other roles, it can easily create another role with different privileges than its own (except for creating roles with superuser privileges). For example, if the role “user” has the CREATEROLE privilege but not the CREATEDB privilege, nonetheless it can create a new role with the CREATEDB privilege. Therefore, regard roles that have the CREATEROLE privilege as almost-superuser-roles.


A password is only significant if the client authentication method requires the user to supply a password when connecting to the database. The password, md5, and crypt authentication methods make use of passwords. Database passwords are separate from operating system passwords.

tip It is good practice to create a role that has the CREATEDB and CREATEROLE privileges, but is not a superuser, and then use this role for all routine management of databases and roles. This approach avoids the dangers of operating as a superuser for tasks that do not really require it.


The Valid option sets a date and time after which the role's password is no longer valid. If this clause is omitted the password will be valid for all time.

tip This option defines an expiration time for a password only, not for the role per se. In particular, the expiration time is not enforced when logging in using a non-password-based authentication method.

In Role

Option lists one or more existing roles to which the new role will be immediately added as a new member.


Option lists one or more existing roles which are automatically added as members of the new role.


This option is like Roles, but the named roles are added to the new role WITH ADMIN OPTION, giving them the right to grant membership in this role to others.


Set this option off to disable generation of the Role during database generation.

The buttons below the list of Roles allow you to perform the following actions:

Add - add a new Role with the default properties to the end of the list;

Duplicate - add a new Role with the same properties as the selected Role to the end of the list;

Delete - remove the selected Role from the list.

Preview tab

The Preview tab displays the SQL statement, which will be executed during the database generation. This statement is made up according to the changes you have made using the previous tabs. Please note that the text within the editor is read-only. The content of this tab updates only when your press the Apply button.