3 PostgreSQL documentation
6 <refentry id=
"SQL-SET-ROLE">
8 <refentrytitle id=
"sql-set-role-title">SET ROLE
</refentrytitle>
9 <refmiscinfo>SQL - Language Statements
</refmiscinfo>
13 <refname>SET ROLE
</refname>
14 <refpurpose>set the current user identifier of the current session
</refpurpose>
17 <indexterm zone=
"sql-set-role">
18 <primary>SET ROLE
</primary>
23 SET [ SESSION | LOCAL ] ROLE
<replaceable class=
"parameter">rolename
</replaceable>
24 SET [ SESSION | LOCAL ] ROLE NONE
30 <title>Description
</title>
33 This command sets the current user
34 identifier of the current SQL session to be
<replaceable
35 class=
"parameter">rolename
</replaceable>. The role name can be
36 written as either an identifier or a string literal.
37 After
<command>SET ROLE<
/>, permissions checking for SQL commands
38 is carried out as though the named role were the one that had logged
43 The specified
<replaceable class=
"parameter">rolename
</replaceable>
44 must be a role that the current session user is a member of.
45 (If the session user is a superuser, any role can be selected.)
49 The
<literal>SESSION<
/> and
<literal>LOCAL<
/> modifiers act the same
50 as for the regular
<xref linkend=
"SQL-SET" endterm=
"SQL-SET-title">
55 The
<literal>NONE<
/> and
<literal>RESET<
/> forms reset the current
56 user identifier to be the current session user identifier.
57 These forms can be executed by any user.
65 Using this command, it is possible to either add privileges or restrict
66 one's privileges. If the session user role has the
<literal>INHERITS<
/>
67 attribute, then it automatically has all the privileges of every role that
68 it could
<command>SET ROLE<
/> to; in this case
<command>SET ROLE<
/>
69 effectively drops all the privileges assigned directly to the session user
70 and to the other roles it is a member of, leaving only the privileges
71 available to the named role. On the other hand, if the session user role
72 has the
<literal>NOINHERITS<
/> attribute,
<command>SET ROLE<
/> drops the
73 privileges assigned directly to the session user and instead acquires the
74 privileges available to the named role.
78 In particular, when a superuser chooses to
<command>SET ROLE<
/> to a
79 non-superuser role, she loses her superuser privileges.
83 <command>SET ROLE<
/> has effects comparable to
84 <xref linkend=
"sql-set-session-authorization"
85 endterm=
"sql-set-session-authorization-title">, but the privilege
86 checks involved are quite different. Also,
87 <command>SET SESSION AUTHORIZATION<
/> determines which roles are
88 allowable for later
<command>SET ROLE<
/> commands, whereas changing
89 roles with
<command>SET ROLE<
/> does not change the set of roles
90 allowed to a later
<command>SET ROLE<
/>.
94 <command>SET ROLE<
/> cannot be used within a
95 <literal>SECURITY DEFINER<
/> function.
100 <title>Examples
</title>
103 SELECT SESSION_USER, CURRENT_USER;
105 session_user | current_user
106 --------------+--------------
111 SELECT SESSION_USER, CURRENT_USER;
113 session_user | current_user
114 --------------+--------------
120 <title>Compatibility
</title>
123 <productname>PostgreSQL
</productname>
124 allows identifier syntax (
<literal>"rolename"</literal>), while
125 the SQL standard requires the role name to be written as a string
126 literal. SQL does not allow this command during a transaction;
127 <productname>PostgreSQL
</productname> does not make this
128 restriction because there is no reason to.
129 The
<literal>SESSION<
/> and
<literal>LOCAL<
/> modifiers are a
130 <productname>PostgreSQL
</productname> extension, as is the
131 <literal>RESET<
/> syntax.
136 <title>See Also
</title>
138 <simplelist type=
"inline">
139 <member><xref linkend=
"sql-set-session-authorization" endterm=
"sql-set-session-authorization-title"></member>