Alteruser utility

Overview

The alteruser utility modifies an existing role in your EDB Postgres Advanced Server's clusters. It's a wrapper around the SQL command ALTER ROLE and is similar to the createuser utility.

By default, the alteruser utility sends the password to the server in plain text, allowing the server to use the password verify function of the assigned password profiles to verify the passwords. It also prompts for the old password if necessary. Use the --help option to see all the supported options for modifying user credentials and privileges.

Synopsis

alteruser [OPTION]... [ROLENAME] [CONNSTR]

Options

Provide the options as arguments to the alteruser command.

-c N or --connection-limit=N

Sets a maximum number of connections for a role.

-d or --createdb

Assigns the CREATE DATABASE privilege to a role, so it can create databases.

-D or --no-createdb

Removes the CREATE DATABASE privilege from a role, so it can't create databases.

-i or --inherit

Assigns permission to a role to inherit privileges of roles it's a member of.

-I or --no-inherit

Removes permissions from a role to inherit privileges of roles it's a member of.

-l or --login

Assigns the LOGIN privilege to a role, so it can log in.

-L or --no-login

Removes the LOGIN privilege from a role, so it can't log in.

-P or --pwprompt

Assigns a password to a role.

-r or --createrole

Assigns the CREATEROLE privilege to a role, so it can create, alter, drop, comment on, and change the security label for other roles.

-R or --no-createrole

Removes the CREATEROLE privilege from a role, so it can't create new roles.

-s or --superuser

Assigns the SUPERUSER privilege to a role.

-S or --no-superuser

Removes the SUPERUSER privilege from a role.

-v or --valid-until=TIMESTAMP

Sets a date and time after which the role's password is no longer valid.

-V or --version

Prints the alteruser version information and exits.

--interactive

Prompts for the missing role name and attributes if none are specified on the command line.

--bypassrls

Allows a role to bypass row-level security (RLS) policy.

--no-bypassrls

Disallows a role to bypass row-level security (RLS) policy.

--replication

Assigns REPLICATION privilege to a role, so it can initiate the replication.

--no-replication

Removes REPLICATION privilege from a role, so it can't initiate replication.

--account=MODE

Allows a role to change the account mode. The mode can be LOCK or UNLOCK.

--createdblink

Assigns the CREATE DATABASE LINK privilege to a role, so it can create database links.

--no-createdblink

Removes the CREATE DATABASE LINK privilege from a role, so it can't create database links.

--createpublicdblink

Assigns the CREATE PUBLIC DATABASE LINK privilege to a role, so it can create public database links.

--no-createpublicdblink

Removes the CREATE PUBLIC DATABASE LINK privilege from a role, so it can't create public database links.

--droppublicdblink

Assigns the DROP PUBLIC DATABASE LINK privilege to a role, so it can drop public database links.

--no-droppublicdblink

Removes the DROP PUBLIC DATABASE LINK privilege from a role, so it can't drop public database link.

--encrypt-password=METHOD

Assigns an encryption method for a password. Use this option with the --pwprompt option. The encryption method can be "scram-sha-256", "md5", "server_encryption", or "plain" (default). If you select "server_encryption", the password encrypts using the server's password_encryption GUC value. If you select "plain", the password isn't encrypted and is sent in plain text.

--exemptaccesspolicy

Exempts a role from access control (DBMS_RLS) policies.

--no-exemptaccesspolicy

Doesn't exempt a role from access control (DBMS_RLS) policies.

--lock-time=TIMESTAMP

A role's lock time.

--passwordexpireat[=TIMESTAMP]

A role's password expiration time. If you don't provide the timestamp value, the current timestamp is used for password expiration.

--passwordsetat=TIMESTAMP

A role's password setting time.

--profile=NAME

Assigns the profile to a role.

--rename=ROLENAME

Renames a role. Use the --rename option alone, without any other options.

-? or --help

Show help about alteruser arguments, and exit.

Connection options

Provide the connection options to connect to a specific cluster where a role is residing. The connection options override the parameters from the connection string.

-h or --host=HOSTNAME

Database server host or socket directory.

-p or --port=PORT

Database server port number.

-U or --username=USERNAME

User name to connect as (not the one to alter).

-w or --no-password

Never prompt for password.

-W or --password

Force password prompt.

--dbname=DBNAME

Database to connect.

CONNSTR

You can provide the database connection parameters in CONNSTR. It overrides the passed-in parameters with the values from the CONNSTR.

Examples

This example shows how to alter a role on a localhost server running on port 5444:

./alteruser -h localhost -p 5444 -S -D -R joe

This example shows how to alter a role on the default database server in interactive mode:

./alteruser --interactive joe

Shall the role be a superuser? (y/n) n
Shall the role be allowed to create databases? (y/n) n
Shall the role be allowed to create more new roles? (y/n) n

• On this page
• Overview
• Synopsis
• Options
  • Connection options
• CONNSTR
• Examples