Alteruser utility
Overview
The alteruser
utility modifies an existing role in your EDB Postgres Advanced Server's clusters. It's a wrapper around the SQL command ALTER ROLE and is similar to the createuser
utility.
By default, the alteruser
utility sends the password to the server in plain text, allowing the server to use the password verify function of the assigned password profiles to verify the passwords. It also prompts for the old password if necessary. Use the --help
option to see all the supported options for modifying user credentials and privileges.
Synopsis
Options
Provide the options as arguments to the alteruser
command.
-c N
or --connection-limit=N
Sets a maximum number of connections for a role.
-d
or --createdb
Assigns the CREATE DATABASE privilege to a role, so it can create databases.
-D
or --no-createdb
Removes the CREATE DATABASE privilege from a role, so it can't create databases.
-i
or --inherit
Assigns permission to a role to inherit privileges of roles it's a member of.
-I
or --no-inherit
Removes permissions from a role to inherit privileges of roles it's a member of.
-l
or --login
Assigns the LOGIN privilege to a role, so it can log in.
-L
or --no-login
Removes the LOGIN privilege from a role, so it can't log in.
-P
or --pwprompt
Assigns a password to a role.
-r
or --createrole
Assigns the CREATEROLE privilege to a role, so it can create, alter, drop, comment on, and change the security label for other roles.
-R
or --no-createrole
Removes the CREATEROLE privilege from a role, so it can't create new roles.
-s
or --superuser
Assigns the SUPERUSER privilege to a role.
-S
or --no-superuser
Removes the SUPERUSER privilege from a role.
-v
or --valid-until=TIMESTAMP
Sets a date and time after which the role's password is no longer valid.
-V
or --version
Prints the alteruser
version information and exits.
--interactive
Prompts for the missing role name and attributes if none are specified on the command line.
--bypassrls
Allows a role to bypass row-level security (RLS) policy.
--no-bypassrls
Disallows a role to bypass row-level security (RLS) policy.
--replication
Assigns REPLICATION privilege to a role, so it can initiate the replication.
--no-replication
Removes REPLICATION privilege from a role, so it can't initiate replication.
--account=MODE
Allows a role to change the account mode. The mode can be LOCK or UNLOCK.
--createdblink
Assigns the CREATE DATABASE LINK privilege to a role, so it can create database links.
--no-createdblink
Removes the CREATE DATABASE LINK privilege from a role, so it can't create database links.
--createpublicdblink
Assigns the CREATE PUBLIC DATABASE LINK privilege to a role, so it can create public database links.
--no-createpublicdblink
Removes the CREATE PUBLIC DATABASE LINK privilege from a role, so it can't create public database links.
--droppublicdblink
Assigns the DROP PUBLIC DATABASE LINK privilege to a role, so it can drop public database links.
--no-droppublicdblink
Removes the DROP PUBLIC DATABASE LINK privilege from a role, so it can't drop public database link.
--encrypt-password=METHOD
Assigns an encryption method for a password. Use this option with the --pwprompt
option. The encryption method can be "scram-sha-256"
, "md5"
, "server_encryption"
, or "plain"
(default). If you select "server_encryption", the password encrypts using the server's password_encryption
GUC value. If you select "plain"
, the password isn't encrypted and is sent in plain text.
--exemptaccesspolicy
Exempts a role from access control (DBMS_RLS) policies.
--no-exemptaccesspolicy
Doesn't exempt a role from access control (DBMS_RLS) policies.
--lock-time=TIMESTAMP
A role's lock time.
--passwordexpireat[=TIMESTAMP]
A role's password expiration time. If you don't provide the timestamp value, the current timestamp is used for password expiration.
--passwordsetat=TIMESTAMP
A role's password setting time.
--profile=NAME
Assigns the profile to a role.
--rename=ROLENAME
Renames a role. Use the --rename
option alone, without any other options.
-?
or --help
Show help about alteruser
arguments, and exit.
Connection options
Provide the connection options to connect to a specific cluster where a role is residing. The connection options override the parameters from the connection string.
-h
or --host=HOSTNAME
Database server host or socket directory.
-p
or --port=PORT
Database server port number.
-U
or --username=USERNAME
User name to connect as (not the one to alter).
-w
or --no-password
Never prompt for password.
-W
or --password
Force password prompt.
--dbname=DBNAME
Database to connect.
CONNSTR
You can provide the database connection parameters in CONNSTR
. It overrides the passed-in parameters with the values from the CONNSTR
.
Examples
This example shows how to alter a role on a localhost server running on port 5444:
This example shows how to alter a role on the default database server in interactive mode:
Could this page be better? Report a problem or suggest an addition!