Controlling user access to the PostgreSQL database

New databases in PostgreSQL are always created with a default set of privileges in the database's public schema that allow all database users and roles to create objects. These privileges allow database users to connect to the database, for example, and create temporary tables while connected.

To better control user access to the databases instances that you create on your RDS for PostgreSQL DB instance, we recommend that you revoke these default public privileges. After doing so, you then grant specific privileges for database users on a more granular basis, as shown in the following procedure.

To set up roles and privileges for a new database instance

Suppose you're setting up a database on a newly created RDS for PostgreSQL DB instance for use by several researchers, all of whom need read-write access to the database.

Use psql (or pgAdmin) to connect to your RDS for PostgreSQL DB instance:
```
psql --host=your-db-instance.666666666666.aws-region.rds.amazonaws.com --port=5432 --username=postgres --password
```
When prompted, enter your password. The psql client connects and displays the default administrative connection database, postgres=>, as the prompt.
To prevent database users from creating objects in the public schema, do the following:
```
postgres=> REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE
```

Next, you create a new database instance:


postgres=> CREATE DATABASE lab_db;
CREATE DATABASE

Revoke all privileges from the PUBLIC schema on this new database.


postgres=> REVOKE ALL ON DATABASE lab_db FROM public;
REVOKE

Create a role for database users.


postgres=> CREATE ROLE lab_tech;
CREATE ROLE

Give database users that have this role the ability to connect to the database.
```
postgres=> GRANT CONNECT ON DATABASE lab_db TO lab_tech;
GRANT
```

Grant all users with the lab_tech role all privileges on this database.


postgres=> GRANT ALL PRIVILEGES ON DATABASE lab_db TO lab_tech;
GRANT

Create database users, as follows:


postgres=> CREATE ROLE lab_user1 LOGIN PASSWORD 'change_me';
CREATE ROLE
postgres=> CREATE ROLE lab_user2 LOGIN PASSWORD 'change_me';
CREATE ROLE

Grant these two users the privileges associated with the lab_tech role:


postgres=> GRANT lab_tech TO lab_user1;
GRANT ROLE
postgres=> GRANT lab_tech TO lab_user2;
GRANT ROLE

At this point, lab_user1 and lab_user2 can connect to the lab_db database. This example doesn't follow best practices for enterprise usage, which might include creating multiple database instances, different schemas, and granting limited permissions. For more complete information and additional scenarios, see Managing PostgreSQL Users and Roles.

For more information about privileges in PostgreSQL databases, see the GRANT command in the PostgreSQL documentation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understanding the rds_superuser role

Delegating and controlling user password management