2005-07-27 01:24:02 +02:00
|
|
|
<!--
|
2010-09-20 22:08:53 +02:00
|
|
|
doc/src/sgml/ref/drop_role.sgml
|
2005-07-27 01:24:02 +02:00
|
|
|
PostgreSQL documentation
|
|
|
|
|
-->
|
|
|
|
|
|
2017-10-20 03:16:39 +02:00
|
|
|
<refentry id="sql-droprole">
|
2014-02-24 03:25:35 +01:00
|
|
|
<indexterm zone="sql-droprole">
|
|
|
|
|
<primary>DROP ROLE</primary>
|
|
|
|
|
</indexterm>
|
|
|
|
|
|
2005-07-27 01:24:02 +02:00
|
|
|
<refmeta>
|
2010-04-03 09:23:02 +02:00
|
|
|
<refentrytitle>DROP ROLE</refentrytitle>
|
2008-11-14 11:22:48 +01:00
|
|
|
<manvolnum>7</manvolnum>
|
2005-07-27 01:24:02 +02:00
|
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
|
<refname>DROP ROLE</refname>
|
|
|
|
|
<refpurpose>remove a database role</refpurpose>
|
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
|
<synopsis>
|
2017-10-09 04:00:57 +02:00
|
|
|
DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...]
|
2005-07-27 01:24:02 +02:00
|
|
|
</synopsis>
|
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
<command>DROP ROLE</command> removes the specified role(s).
|
|
|
|
|
To drop a superuser role, you must be a superuser yourself;
|
2017-10-09 03:44:17 +02:00
|
|
|
to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
|
Restrict the privileges of CREATEROLE users.
Previously, CREATEROLE users were permitted to make nearly arbitrary
changes to roles that they didn't create, with certain exceptions,
particularly superuser roles. Instead, allow CREATEROLE users to make such
changes to roles for which they possess ADMIN OPTION, and to
grant membership only in roles for which they possess ADMIN OPTION.
When a CREATEROLE user who is not a superuser creates a role, grant
ADMIN OPTION on the newly-created role to the creator, so that they
can administer roles they create or for which they have been given
privileges.
With these changes, CREATEROLE users still have very significant
powers that unprivileged users do not receive: they can alter, rename,
drop, comment on, change the password for, and change security labels
on roles. However, they can now do these things only for roles for
which they possess appropriate privileges, rather than all
non-superuser roles; moreover, they cannot grant a role such as
pg_execute_server_program unless they themselves possess it.
Patch by me, reviewed by Mark Dilger.
Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com
2023-01-10 18:44:30 +01:00
|
|
|
privilege and have been granted <literal>ADMIN OPTION</literal> on the role.
|
2005-07-27 01:24:02 +02:00
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
A role cannot be removed if it is still referenced in any database
|
|
|
|
|
of the cluster; an error will be raised if so. Before dropping the role,
|
|
|
|
|
you must drop all the objects it owns (or reassign their ownership)
|
2015-10-07 22:12:05 +02:00
|
|
|
and revoke any privileges the role has been granted on other objects.
|
Improve <xref> vs. <command> formatting in the documentation
SQL commands are generally marked up as <command>, except when a link
to a reference page is used using <xref>. But the latter doesn't
create monospace markup, so this looks strange especially when a
paragraph contains a mix of links and non-links.
We considered putting <command> in the <refentrytitle> on the target
side, but that creates some formatting side effects elsewhere.
Generally, it seems safer to solve this on the link source side.
We can't put the <xref> inside the <command>; the DTD doesn't allow
this. DocBook 5 would allow the <command> to have the linkend
attribute itself, but we are not there yet.
So to solve this for now, convert the <xref>s to <link> plus
<command>. This gives the correct look and also gives some more
flexibility what we can put into the link text (e.g., subcommands or
other clauses). In the future, these could then be converted to
DocBook 5 style.
I haven't converted absolutely all xrefs to SQL command reference
pages, only those where we care about the appearance of the link text
or where it was otherwise appropriate to make the appearance match a
bit better. Also in some cases, the links where repetitive, so in
those cases the links where just removed and replaced by a plain
<command>. In cases where we just want the link and don't
specifically care about the generated link text (typically phrased
"for further information see <xref ...>") the xref is kept.
Reported-by: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org>
Discussion: https://www.postgresql.org/message-id/flat/87o8pco34z.fsf@wibble.ilmari.org
2020-10-03 16:16:51 +02:00
|
|
|
The <link linkend="sql-reassign-owned"><command>REASSIGN
|
|
|
|
|
OWNED</command></link> and <link linkend="sql-drop-owned"><command>DROP
|
|
|
|
|
OWNED</command></link>
|
2017-11-23 15:39:47 +01:00
|
|
|
commands can be useful for this purpose; see <xref linkend="role-removal"/>
|
2015-10-07 22:12:05 +02:00
|
|
|
for more discussion.
|
2005-07-27 01:24:02 +02:00
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
However, it is not necessary to remove role memberships involving
|
2017-10-09 03:44:17 +02:00
|
|
|
the role; <command>DROP ROLE</command> automatically revokes any memberships
|
2005-07-27 01:24:02 +02:00
|
|
|
of the target role in other roles, and of other roles in the target role.
|
|
|
|
|
The other roles are not dropped nor otherwise affected.
|
|
|
|
|
</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Parameters</title>
|
|
|
|
|
|
2006-02-04 20:06:47 +01:00
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><literal>IF EXISTS</literal></term>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>
|
2010-11-23 21:27:50 +01:00
|
|
|
Do not throw an error if the role does not exist. A notice is issued
|
2006-02-04 20:06:47 +01:00
|
|
|
in this case.
|
|
|
|
|
</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2005-07-27 01:24:02 +02:00
|
|
|
<varlistentry>
|
2017-10-09 04:00:57 +02:00
|
|
|
<term><replaceable class="parameter">name</replaceable></term>
|
2005-07-27 01:24:02 +02:00
|
|
|
<listitem>
|
|
|
|
|
<para>
|
|
|
|
|
The name of the role to remove.
|
|
|
|
|
</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Notes</title>
|
|
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
<productname>PostgreSQL</productname> includes a program <xref
|
2017-11-23 15:39:47 +01:00
|
|
|
linkend="app-dropuser"/> that has the
|
2005-07-27 01:24:02 +02:00
|
|
|
same functionality as this command (in fact, it calls this command)
|
|
|
|
|
but can be run from the command shell.
|
|
|
|
|
</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Examples</title>
|
|
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
To drop a role:
|
|
|
|
|
<programlisting>
|
|
|
|
|
DROP ROLE jonathan;
|
2011-08-07 09:49:45 +02:00
|
|
|
</programlisting></para>
|
2005-07-27 01:24:02 +02:00
|
|
|
</refsect1>
|
2010-11-23 21:27:50 +01:00
|
|
|
|
2005-07-27 01:24:02 +02:00
|
|
|
<refsect1>
|
|
|
|
|
<title>Compatibility</title>
|
2010-11-23 21:27:50 +01:00
|
|
|
|
2005-07-27 01:24:02 +02:00
|
|
|
<para>
|
|
|
|
|
The SQL standard defines <command>DROP ROLE</command>, but it allows
|
|
|
|
|
only one role to be dropped at a time, and it specifies different
|
|
|
|
|
privilege requirements than <productname>PostgreSQL</productname> uses.
|
|
|
|
|
</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>See Also</title>
|
|
|
|
|
|
|
|
|
|
<simplelist type="inline">
|
2017-11-23 15:39:47 +01:00
|
|
|
<member><xref linkend="sql-createrole"/></member>
|
|
|
|
|
<member><xref linkend="sql-alterrole"/></member>
|
|
|
|
|
<member><xref linkend="sql-set-role"/></member>
|
2005-07-27 01:24:02 +02:00
|
|
|
</simplelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
</refentry>
|
