Table of Contents Previous Next



2.3.73 SET ROLE
SET ROLE -- set the current user identifier of the current session
SET ROLE { rolename | NONE }
This command sets the current user identifier of the current SQL session context to be rolename. After SET ROLE, permissions checking for SQL commands is carried out as though the named role were the one that had logged in originally.
The specified rolename must be a role that the current session user is a member of. (If the session user is a superuser, any role can be selected.)
NONE resets the current user identifier to be the current session user identifier. These forms may be executed by any user.
Using this command, it is possible to either add privileges or restrict one’s privileges. If the session user role has the INHERITS attribute, then it automatically has all the privileges of every role that it could SET ROLE to; in this case SET ROLE effectively drops all the privileges assigned directly to the session user and to the other roles it is a member of, leaving only the privileges available to the named role. On the other hand, if the session user role has the NOINHERITS attribute, SET ROLE drops the privileges assigned directly to the session user and instead acquires the privileges available to the named role. In particular, when a superuser chooses to SET ROLE to a non-superuser role, she loses her superuser privileges.
User mary takes on the identity of role admins:
User mary reverts back to her own identity:


Table of Contents Previous Next