Assigning roles PostgreSQL

Written by

Updated at April 9, 2025

With Managed Service for PostgreSQL, you cannot access predefined roles. Instead, this service provides the following special roles:

mdb_superuser: For users who are not database owners but need to manage privileges as owners.
mdb_admin: For users who are not database owners but need administrative privileges.
mdb_monitor: For users who need to be able to read various configuration parameters, statistics, and other system information.
mdb_replication: For users who need to be able to perform logical replication.

To assign a role to a user, use the Yandex Cloud interfaces: roles assigned by a GRANT request are revoked with the next database operation.

Note

You cannot create custom roles in Managed Service for PostgreSQL. User permissions depend on a set of privileges the user is granted.

'mdb_superuser' role

The mdb_superuser role enables you to manage privileges for objects in a database.

The mdb_admin role includes the following privileges:

Predefined role privileges:
- pg_monitor
- pg_signal_backend
  For more information about predefined roles, see the PostgreSQL documentation.
Subscription for logical replication (CREATE | DROP | ALTER SUBSCRIPTION).
Extensions:
- dblink
- pg_repack
- postgres_fdw
- pg_cron
Extension-specific functions:
- pg_stat_kcache_reset() from the pg_stat_kcache extension.
- pg_stat_reset() and pg_stat_statements_reset() from the pg_stat_statements extension.

The mdb_monitor role includes the following privileges:

Reading and executing various views and functions for monitoring.
Extensions:
- pg_stat_statements
Functions for working with ordinary files:
- pg_ls_logdir()
- pg_ls_waldir()
- pg_ls_archive_statusdir()
- pg_ls_tmpdir ()

The mdb_replication role includes the following privileges:

Connecting to a cluster using the logical replication protocol (replication=database).
Replication functions:
- pg_create_logical_replication_slot()
- pg_drop_replication_slot()