User and Permission Operations

다운로드

포커스 모드

폰트 크기

마지막 업데이트 시간: 2026-06-25 11:47:14

Cloud Database Default Roles
TencentDB for PostgreSQL does not make the superuser role attribute or the pg_execute_server_program, pg_read_server_files, and pg_write_server_files roles available to users. However, because certain operations require the superuser role, TencentDB for PostgreSQL provides the pg_tencentdb_superuser role as a substitute.
pg_tencentdb_superuser Role
The permissions supported by this role include system permissions and database object permissions. The detailed permissions are listed in the following table:
System Permissions
Permissions
Description
CREATEDB
You can create databases.
BYPASSRLS
It can bypass all row-level security policy checks.
REPLICATION
By default, it has the replication permission and can also grant this permission to other users.
CREATEROLE
It has the CREATEROLE permission as in the community edition, but the pg_read_server_files, pg_write_server_files, and pg_execute_server_program permissions have been removed from the createrole permission set.
Object Permissions
Object
Description
database
By default, it has permissions for all databases whose owner is not a superuser.
schema
By default, it has permissions for all schemas whose owner is not a superuser.
table/sequence
By default, it has permissions for all tables/sequences whose owner is not a superuser.
function
By default, it has permissions for all functions whose owner is not a superuser.
language
No special permissions.
tablespace
No special permissions.
FDW / foreign server
By default, it has permissions for all FDWs/foreign servers whose owner is not a superuser.
TYPE
By default, it has permissions for all types whose owner is not a superuser.
Perform other operations
Subscription/publication: It can create subscriptions/publications, create publications for all tables, and create slots.
Plugins: It can create all supported plugins. When a plugin is created, the current pg_tencentdb_superuser is temporarily elevated to superuser to pass all permission checks. 
The load_file permission retains its default behavior, allowing only the loading of supported plugin libraries.
The permission to view detailed deadlock information in the pgstat_get_backend_current_activity function is enabled, allowing users to troubleshoot deadlocks themselves.
The pg_signal_backend function is restricted so that only pg_tencentdb_superuser can kill processes belonging to pg_tencentdb_superuser.
checkpoint is allowed. The kernel minor version must be equal to or higher than V10.17_r1.8, V11.12_r1.7, V12.7_r1.8, V13.3_r1.6, or V14.2_r1.5, and the major version must be equal to or higher than V15.
It is allowed to create and modify event_triggers whose owner is tencentdb_superuser. To create or modify an event_trigger, the kernel minor version must be equal to or higher than V10.17_r1.8, V11.12_r1.7, V12.7_r1.8, V13.3_r1.6, or V14.2_r1.5, and the major version must be equal to or higher than V15.
Permission Operations
For detailed permission operations, refer to the official PostgreSQL community documentation:
Create a user. For details, refer to the official documentation:
CREATE USER name [ [ WITH ] option [ ... ] ]
﻿
where option can be:
﻿
    SUPERUSER | NOSUPERUSER
  | CREATEDB | NOCREATEDB
  | CREATEROLE | NOCREATEROLE
  | INHERIT | NOINHERIT
  | LOGIN | NOLOGIN
  | REPLICATION | NOREPLICATION
  | BYPASSRLS | NOBYPASSRLS
  | CONNECTION LIMIT connlimit
  | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
  | VALID UNTIL 'timestamp'
  | IN ROLE role_name [, ...]
  | IN GROUP role_name [, ...]
  | ROLE role_name [, ...]
  | ADMIN role_name [, ...]
  | USER role_name [, ...]
  | SYSID uid
Create a role. For details, refer to the official documentation:
CREATE ROLE name [ [ WITH ] option [ ... ] ]
﻿
where option can be:
﻿
    SUPERUSER | NOSUPERUSER
  | CREATEDB | NOCREATEDB
  | CREATEROLE | NOCREATEROLE
  | INHERIT | NOINHERIT
  | LOGIN | NOLOGIN
  | REPLICATION | NOREPLICATION
  | BYPASSRLS | NOBYPASSRLS
  | CONNECTION LIMIT connlimit
  | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
  | VALID UNTIL 'timestamp'
  | IN ROLE role_name [, ...]
  | IN GROUP role_name [, ...]
  | ROLE role_name [, ...]
  | ADMIN role_name [, ...]
  | USER role_name [, ...]
  | SYSID uid
Modify role attributes. For details, refer to the official documentation:
ALTER ROLE role_specification [ WITH ] option [ ... ]
﻿
where option can be:
﻿
    SUPERUSER | NOSUPERUSER
  | CREATEDB | NOCREATEDB
  | CREATEROLE | NOCREATEROLE
  | INHERIT | NOINHERIT
  | LOGIN | NOLOGIN
  | REPLICATION | NOREPLICATION
  | BYPASSRLS | NOBYPASSRLS
  | CONNECTION LIMIT connlimit
  | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL
  | VALID UNTIL 'timestamp'
Grant permissions to a role object. For details, refer to the official documentation:
# Simple Syntax
GRANT <permission> on <object> to <role>;
Revoke permissions from a role object. For details, refer to the official documentation:
# Simple Syntax
REVOKE <permission> ON <object> FROM <role>;
Assign a role to another role:
# Simple Syntax
GRANT <role_name> to <other_role>;
Managing System Accounts
The accounts automatically created and used by the database management system are listed below:
Note:
The management system accounts for TencentDB for PostgreSQL are fully managed by Tencent Cloud.
Account Name
Description
Allowed Operations
tencentdb_admin_*
The string following 'tencentdb_admin_' in the account name and role name is a system-generated random string.
Used by the monitoring component to collect monitoring data and by the management system to perform instance health checks.
tencentdb_repl_*
The string following 'tencentdb_repl_' in the account name and role name is a system-generated random string.
To implement master-slave data synchronization for instances and to support the backup feature of the backup component.
repluser
Belongs to the repluser role.
Used by some instances to implement master-slave data synchronization. This account will be deprecated later.

도움말 및 지원

문제 해결에 도움이 되었나요?

더 자세한 내용은 문의하기 또는 티겟 제출 을 통해 문의할 수 있습니다.

피드백

Permissions	Description
CREATEDB	You can create databases.
BYPASSRLS	It can bypass all row-level security policy checks.
REPLICATION	By default, it has the replication permission and can also grant this permission to other users.
CREATEROLE	It has the CREATEROLE permission as in the community edition, but the pg_read_server_files, pg_write_server_files, and pg_execute_server_program permissions have been removed from the createrole permission set.

Object	Description
database	By default, it has permissions for all databases whose owner is not a superuser.
schema	By default, it has permissions for all schemas whose owner is not a superuser.
table/sequence	By default, it has permissions for all tables/sequences whose owner is not a superuser.
function	By default, it has permissions for all functions whose owner is not a superuser.
language	No special permissions.
tablespace	No special permissions.
FDW / foreign server	By default, it has permissions for all FDWs/foreign servers whose owner is not a superuser.
TYPE	By default, it has permissions for all types whose owner is not a superuser.

Account Name	Description	Allowed Operations
tencentdb_admin_*	The string following 'tencentdb_admin_' in the account name and role name is a system-generated random string.	Used by the monitoring component to collect monitoring data and by the management system to perform instance health checks.
tencentdb_repl_*	The string following 'tencentdb_repl_' in the account name and role name is a system-generated random string.	To implement master-slave data synchronization for instances and to support the backup feature of the backup component.
repluser	Belongs to the repluser role.	Used by some instances to implement master-slave data synchronization. This account will be deprecated later.

tencent cloud

TencentDB for PostgreSQL

User and Permission Operations

Cloud Database Default Roles

pg_tencentdb_superuser Role

System Permissions

Object Permissions

Perform other operations

Permission Operations

Managing System Accounts

도움말 및 지원