Overview - Login vs group roles

What is it?

In PostgreSQL, a login role is a user account that can connect to the database. A group role is a collection of roles that can own privileges and be assigned to other roles. Login roles represent individual users, while group roles help manage permissions for multiple users together.

Why it matters

Without distinguishing login and group roles, managing database access would be chaotic and error-prone. Group roles allow administrators to assign permissions once and share them among many users, saving time and reducing mistakes. Without this, each user would need individual permission setup, making security and maintenance difficult.

Where it fits

Before learning this, you should understand basic database roles and permissions. After this, you can learn about role inheritance, privilege management, and security best practices in PostgreSQL.

Mental Model

Core Idea

Login roles are individual users who connect to the database, while group roles are like teams that bundle permissions for easier management.

Think of it like...

Think of login roles as individual employees with ID badges, and group roles as departments that grant access to shared resources. Assigning someone to a department automatically gives them the department's access rights.

┌─────────────┐       ┌─────────────┐
│ Login Role 1│──────▶│ Group Role A│
└─────────────┘       └─────────────┘
       │                    ▲
       │                    │
┌─────────────┐       ┌─────────────┐
│ Login Role 2│──────▶│ Group Role A│
└─────────────┘       └─────────────┘

Login roles can belong to multiple group roles, inheriting their permissions.

Build-Up - 7 Steps

1

FoundationUnderstanding PostgreSQL Roles

Concept: Roles are entities in PostgreSQL that can own database objects and have permissions.

PostgreSQL uses roles to control access. A role can represent a user or a group. Roles can have privileges like reading tables or creating databases. Every user connecting to the database must have a role with login permission.

Result

You know that roles are the basic building blocks for access control in PostgreSQL.

Understanding roles is essential because they are the foundation of all permission management in PostgreSQL.

2

FoundationLogin Roles as User Accounts

3

IntermediateGroup Roles for Permission Management

4

IntermediateRole Membership and Inheritance

5

IntermediateDistinguishing Login and Group Roles

6

AdvancedManaging Complex Permissions with Nested Groups

7

ExpertSecurity Implications of Role Attributes

Under the Hood

PostgreSQL stores roles in a system catalog table with attributes like LOGIN and membership lists. When a user connects, the server checks the login role's permissions and all group roles it belongs to, combining privileges. Role membership is implemented as a graph, allowing inheritance of permissions through membership chains.

Why designed this way?

This design separates authentication (login roles) from authorization (group roles), making permission management scalable and flexible. Early database systems had only users, making large permission sets hard to maintain. Group roles were introduced to simplify administration and reduce errors.

┌───────────────┐
│ System Catalog│
│  Roles Table  │
└──────┬────────┘
       │ stores
       ▼
┌───────────────┐       ┌───────────────┐
│ Login Role A  │──────▶│ Group Role X  │
│ (LOGIN=true)  │       │ (LOGIN=false) │
└───────────────┘       └───────────────┘
       │ inherits permissions from
       ▼
┌───────────────┐
│ Permissions   │
│ (SELECT, etc) │
└───────────────┘

Myth Busters - 4 Common Misconceptions

Quick: Does assigning a group role to a login role automatically allow the login role to connect to the database? Commit yes or no.

Common Belief:If a login role is part of a group role, it can connect to the database through that group role.

Tap to reveal reality

Quick: Do group roles have their own passwords for login? Commit yes or no.

Common Belief:Group roles have passwords and can be used to log in like users.

Tap to reveal reality

Quick: Does revoking a group role from a login role remove all permissions granted by that group? Commit yes or no.

Common Belief:Removing a login role from a group role immediately removes all inherited permissions from that group.

Tap to reveal reality

Quick: Can a login role have multiple group roles at once? Commit yes or no.

Common Belief:A login role can only belong to one group role at a time.

Tap to reveal reality

Expert Zone

1

Group roles can have role attributes like CREATEDB or REPLICATION, which propagate to members, affecting their capabilities beyond simple permissions.

2

Role membership is transitive: if Group A is member of Group B, and a login role is member of Group A, it inherits permissions from both groups.

3

Revoking a role membership does not revoke privileges granted directly to the login role, which can cause subtle permission retention.

When NOT to use

Avoid using group roles for very small databases or single-user setups where direct login role permissions are simpler. For complex enterprise environments, consider using external authentication systems like LDAP combined with PostgreSQL roles for better scalability.

Production Patterns

In production, administrators create group roles for departments (e.g., developers, analysts) and assign login roles accordingly. Nested group roles organize permissions hierarchically. Role attributes like CONNECTION LIMIT and PASSWORD VALID UNTIL are used to enforce security policies. Auditing role membership changes is common for compliance.

Connections

Unix User Groups

Similar pattern of individual users and groups managing permissions

Understanding Unix groups helps grasp PostgreSQL group roles because both use group membership to simplify permission management.

Object-Oriented Programming Inheritance

Role membership inheritance is like class inheritance where child classes inherit properties from parent classes

Seeing role permissions as inherited properties clarifies how nested group roles propagate privileges.

Corporate Organizational Structure

Group roles resemble departments or teams that assign access rights to employees

Knowing how companies organize access by departments helps understand why group roles exist and how they simplify permission management.

Common Pitfalls

#1Trying to log in using a group role that lacks LOGIN permission.

Wrong approach:psql -U analysts -d mydb -- fails because 'analysts' is a group role without LOGIN

Correct approach:psql -U alice -d mydb -- 'alice' is a login role member of 'analysts' group

Root cause:Misunderstanding that only roles with LOGIN can authenticate and connect.

#2Granting permissions directly to login roles instead of using group roles for shared access.

Wrong approach:GRANT SELECT ON table TO alice; GRANT SELECT ON table TO bob; -- repeated grants for each user

Correct approach:CREATE ROLE readers; GRANT SELECT ON table TO readers; GRANT readers TO alice; GRANT readers TO bob;

Root cause:Not leveraging group roles leads to repetitive and error-prone permission assignments.

#3Assuming revoking a group role removes all permissions immediately without checking other grants.

Wrong approach:REVOKE readers FROM alice; -- alice still has SELECT because it was granted directly

Correct approach:Check all grants before revoking or use REVOKE carefully to avoid leftover permissions.

Root cause:Overlooking that permissions can come from multiple sources, not just group roles.

Key Takeaways

PostgreSQL distinguishes login roles (users who connect) from group roles (permission containers).

Group roles simplify permission management by grouping privileges and assigning them to multiple users.

Role membership allows login roles to inherit permissions from one or more group roles automatically.

Understanding role attributes and inheritance is crucial to maintaining secure and scalable database access.

Misusing login and group roles can cause connection failures or security risks, so clear role design is essential.