4.2 Managing SecurityPEM provides a graphical way to manage the security aspects of your Postgres servers. The three most common tasks are:4.2.1 Login RolesA user must have a login account to connect to the Postgres server. Use the Login Role dialog (shown in Figure 4.2) to add a new login role or manage the properties of an existing login role on a registered server.To add a new login role, right click on the Login Roles node (located beneath the selected server in the Postgres Enterprise Manager node of the tree control), and select New Login Role from the context menu.To modify the properties of an existing login role, right click on the name of a login role in the tree control, and select Properties from the context menu. To delete a login role, right click on the name of the role, and select Delete/Drop from the context menu.For more complete information on creating and managing a login account, see the PostgreSQL online documentation:4.2.2 Group RolesGroup roles can serve as containers, used to dispense system privileges (such as creating databases) and object privileges (e.g. inserting data into a particular table). The primary purpose of a group role is to make the mass management of system and object permissions much easier for a DBA. Rather than assigning or modifying privileges individually across many different login accounts, you can assign or change privileges for a single role and then grant that role to many login roles at once.Use the Group Roles node (located beneath the name of each registered server in the PEM tree control) to create and manage group roles. Options on the context menu provide access to a dialog that allows you to create a new role or modify the properties of an existing role. You can find more information about creating roles at:4.2.3 Using a Team RoleWhen you register a server for monitoring by PEM, you can specify a Team role that will be associated with the server. A Team role is a group role that can be used to allow or restrict access to one or more monitored servers to a limited group of role members. The PEM client will only display a server with a specified Team to those users who are:To open the New Group Role dialog and create a team role, right-click on the Group Roles node of the tree control and select New Group Role… from the context menu. When the New Group Role dialog opens, use the fields provided to specify the properties of the team role. For more information about creating a Team role, see the PEM Installation Guide, available at:4.2.4 Object PermissionsA role must be granted sufficient privileges before accessing, executing, or creating any database object. PEM allows you to assign (GRANT) and remove (REVOKE) object permissions to group roles or login accounts using the graphical interface of the PEM client.Object permissions are managed via the graphical object editor for each particular object. For example, to assign privileges to access a database table, right click on the table name in the tree control, and select the Properties option from the context menu. Use the options displayed on the Privileges tab to assign privileges for the table.By default, PEM displays only group roles on the Privileges tab of the Properties dialog. To instruct the PEM client to include login roles in the User/Group list on the Privileges tab, navigate through the File menu, to open the Options dialog. Select the UI Miscellaneous control node, and then check the box next to Show users for privileges to include login roles on the Privileges tab.The PEM client also contains a Grant Wizard (accessed through a schema node of the tree control) that allows you to manage many object permissions at once.