PG 18 docs from https://ftp.postgresql.org/pub/source/v18.0/postgresql-18.0-docs...

[ai-pg] / full-docs / src / sgml / man1 / createuser.1

'\" t
.\"     Title: createuser
.\"    Author: The PostgreSQL Global Development Group
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 2025
.\"    Manual: PostgreSQL 18.0 Documentation
.\"    Source: PostgreSQL 18.0
.\"  Language: English
.\"
.TH "CREATEUSER" "1" "2025" "PostgreSQL 18.0" "PostgreSQL 18.0 Documentation"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
createuser \- define a new PostgreSQL user account
.SH "SYNOPSIS"
.HP \w'\fBcreateuser\fR\ 'u
\fBcreateuser\fR [\fIconnection\-option\fR...] [\fIoption\fR...] [\fIusername\fR]
.SH "DESCRIPTION"
.PP
createuser
creates a new
PostgreSQL
user (or more precisely, a role)\&. Only superusers and users with
CREATEROLE
privilege can create new users, so
createuser
must be invoked by someone who can connect as a superuser or a user with
CREATEROLE
privilege\&.
.PP
If you wish to create a role with the
SUPERUSER,
REPLICATION, or
BYPASSRLS
privilege, you must connect as a superuser, not merely with
CREATEROLE
privilege\&. Being a superuser implies the ability to bypass all access permission checks within the database, so superuser access should not be granted lightly\&.
CREATEROLE
also conveys
very extensive privileges\&.
.PP
createuser
is a wrapper around the
SQL
command
\fBCREATE ROLE\fR\&. There is no effective difference between creating users via this utility and via other methods for accessing the server\&.
.SH "OPTIONS"
.PP
createuser
accepts the following command\-line arguments:
.PP
\fIusername\fR
.RS 4
Specifies the name of the
PostgreSQL
user to be created\&. This name must be different from all existing roles in this
PostgreSQL
installation\&.
.RE
.PP
\fB\-a \fR\fB\fIrole\fR\fR
.br
\fB\-\-with\-admin=\fR\fB\fIrole\fR\fR
.RS 4
Specifies an existing role that will be automatically added as a member of the new role with admin option, giving it the right to grant membership in the new role to others\&. Multiple existing roles can be specified by writing multiple
\fB\-a\fR
switches\&.
.RE
.PP
\fB\-c \fR\fB\fInumber\fR\fR
.br
\fB\-\-connection\-limit=\fR\fB\fInumber\fR\fR
.RS 4
Set a maximum number of connections for the new user\&. The default is to set no limit\&.
.RE
.PP
\fB\-d\fR
.br
\fB\-\-createdb\fR
.RS 4
The new user will be allowed to create databases\&.
.RE
.PP
\fB\-D\fR
.br
\fB\-\-no\-createdb\fR
.RS 4
The new user will not be allowed to create databases\&. This is the default\&.
.RE
.PP
\fB\-e\fR
.br
\fB\-\-echo\fR
.RS 4
Echo the commands that
createuser
generates and sends to the server\&.
.RE
.PP
\fB\-E\fR
.br
\fB\-\-encrypted\fR
.RS 4
This option is obsolete but still accepted for backward compatibility\&.
.RE
.PP
\fB\-g \fR\fB\fIrole\fR\fR
.br
\fB\-\-member\-of=\fR\fB\fIrole\fR\fR
.br
\fB\-\-role=\fR\fB\fIrole\fR\fR (deprecated)
.RS 4
Specifies the new role should be automatically added as a member of the specified existing role\&. Multiple existing roles can be specified by writing multiple
\fB\-g\fR
switches\&.
.RE
.PP
\fB\-i\fR
.br
\fB\-\-inherit\fR
.RS 4
The new role will automatically inherit privileges of roles it is a member of\&. This is the default\&.
.RE
.PP
\fB\-I\fR
.br
\fB\-\-no\-inherit\fR
.RS 4
The new role will not automatically inherit privileges of roles it is a member of\&.
.RE
.PP
\fB\-\-interactive\fR
.RS 4
Prompt for the user name if none is specified on the command line, and also prompt for whichever of the options
\fB\-d\fR/\fB\-D\fR,
\fB\-r\fR/\fB\-R\fR,
\fB\-s\fR/\fB\-S\fR
is not specified on the command line\&. (This was the default behavior up to PostgreSQL 9\&.1\&.)
.RE
.PP
\fB\-l\fR
.br
\fB\-\-login\fR
.RS 4
The new user will be allowed to log in (that is, the user name can be used as the initial session user identifier)\&. This is the default\&.
.RE
.PP
\fB\-L\fR
.br
\fB\-\-no\-login\fR
.RS 4
The new user will not be allowed to log in\&. (A role without login privilege is still useful as a means of managing database permissions\&.)
.RE
.PP
\fB\-m \fR\fB\fIrole\fR\fR
.br
\fB\-\-with\-member=\fR\fB\fIrole\fR\fR
.RS 4
Specifies an existing role that will be automatically added as a member of the new role\&. Multiple existing roles can be specified by writing multiple
\fB\-m\fR
switches\&.
.RE
.PP
\fB\-P\fR
.br
\fB\-\-pwprompt\fR
.RS 4
If given,
createuser
will issue a prompt for the password of the new user\&. This is not necessary if you do not plan on using password authentication\&.
.RE
.PP
\fB\-r\fR
.br
\fB\-\-createrole\fR
.RS 4
The new user will be allowed to create, alter, drop, comment on, change the security label for other roles; that is, this user will have
CREATEROLE
privilege\&. See
role creation
for more details about what capabilities are conferred by this privilege\&.
.RE
.PP
\fB\-R\fR
.br
\fB\-\-no\-createrole\fR
.RS 4
The new user will not be allowed to create new roles\&. This is the default\&.
.RE
.PP
\fB\-s\fR
.br
\fB\-\-superuser\fR
.RS 4
The new user will be a superuser\&.
.RE
.PP
\fB\-S\fR
.br
\fB\-\-no\-superuser\fR
.RS 4
The new user will not be a superuser\&. This is the default\&.
.RE
.PP
\fB\-v \fR\fB\fItimestamp\fR\fR
.br
\fB\-\-valid\-until=\fR\fB\fItimestamp\fR\fR
.RS 4
Set a date and time after which the role\*(Aqs password is no longer valid\&. The default is to set no password expiry date\&.
.RE
.PP
\fB\-V\fR
.br
\fB\-\-version\fR
.RS 4
Print the
createuser
version and exit\&.
.RE
.PP
\fB\-\-bypassrls\fR
.RS 4
The new user will bypass every row\-level security (RLS) policy\&.
.RE
.PP
\fB\-\-no\-bypassrls\fR
.RS 4
The new user will not bypass row\-level security (RLS) policies\&. This is the default\&.
.RE
.PP
\fB\-\-replication\fR
.RS 4
The new user will have the
REPLICATION
privilege, which is described more fully in the documentation for
CREATE ROLE (\fBCREATE_ROLE\fR(7))\&.
.RE
.PP
\fB\-\-no\-replication\fR
.RS 4
The new user will not have the
REPLICATION
privilege, which is described more fully in the documentation for
CREATE ROLE (\fBCREATE_ROLE\fR(7))\&. This is the default\&.
.RE
.PP
\fB\-?\fR
.br
\fB\-\-help\fR
.RS 4
Show help about
createuser
command line arguments, and exit\&.
.RE
.PP
createuser
also accepts the following command\-line arguments for connection parameters:
.PP
\fB\-h \fR\fB\fIhost\fR\fR
.br
\fB\-\-host=\fR\fB\fIhost\fR\fR
.RS 4
Specifies the host name of the machine on which the server is running\&. If the value begins with a slash, it is used as the directory for the Unix domain socket\&.
.RE
.PP
\fB\-p \fR\fB\fIport\fR\fR
.br
\fB\-\-port=\fR\fB\fIport\fR\fR
.RS 4
Specifies the TCP port or local Unix domain socket file extension on which the server is listening for connections\&.
.RE
.PP
\fB\-U \fR\fB\fIusername\fR\fR
.br
\fB\-\-username=\fR\fB\fIusername\fR\fR
.RS 4
User name to connect as (not the user name to create)\&.
.RE
.PP
\fB\-w\fR
.br
\fB\-\-no\-password\fR
.RS 4
Never issue a password prompt\&. If the server requires password authentication and a password is not available by other means such as a
\&.pgpass
file, the connection attempt will fail\&. This option can be useful in batch jobs and scripts where no user is present to enter a password\&.
.RE
.PP
\fB\-W\fR
.br
\fB\-\-password\fR
.RS 4
Force
createuser
to prompt for a password (for connecting to the server, not for the password of the new user)\&.
.sp
This option is never essential, since
createuser
will automatically prompt for a password if the server demands password authentication\&. However,
createuser
will waste a connection attempt finding out that the server wants a password\&. In some cases it is worth typing
\fB\-W\fR
to avoid the extra connection attempt\&.
.RE
.SH "ENVIRONMENT"
.PP
\fBPGHOST\fR
.br
\fBPGPORT\fR
.br
\fBPGUSER\fR
.RS 4
Default connection parameters
.RE
.PP
\fBPG_COLOR\fR
.RS 4
Specifies whether to use color in diagnostic messages\&. Possible values are
always,
auto
and
never\&.
.RE
.PP
This utility, like most other
PostgreSQL
utilities, also uses the environment variables supported by
libpq
(see
Section\ \&32.15)\&.
.SH "DIAGNOSTICS"
.PP
In case of difficulty, see
CREATE ROLE (\fBCREATE_ROLE\fR(7))
and
\fBpsql\fR(1)
for discussions of potential problems and error messages\&. The database server must be running at the targeted host\&. Also, any default connection settings and environment variables used by the
libpq
front\-end library will apply\&.
.SH "EXAMPLES"
.PP
To create a user
joe
on the default database server:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser joe\fR
.fi
.if n \{\
.RE
.\}
.PP
To create a user
joe
on the default database server with prompting for some additional attributes:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser \-\-interactive joe\fR
Shall the new role be a superuser? (y/n) \fBn\fR
Shall the new role be allowed to create databases? (y/n) \fBn\fR
Shall the new role be allowed to create more new roles? (y/n) \fBn\fR
.fi
.if n \{\
.RE
.\}
.PP
To create the same user
joe
using the server on host
eden, port 5000, with attributes explicitly specified, taking a look at the underlying command:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser \-h eden \-p 5000 \-S \-D \-R \-e joe\fR
CREATE ROLE joe NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;
.fi
.if n \{\
.RE
.\}
.PP
To create the user
joe
as a superuser, and assign a password immediately:
.sp
.if n \{\
.RS 4
.\}
.nf
$ \fBcreateuser \-P \-s \-e joe\fR
Enter password for new role: \fBxyzzy\fR
Enter it again: \fBxyzzy\fR
CREATE ROLE joe PASSWORD \*(Aqmd5b5f5ba1a423792b526f799ae4eb3d59e\*(Aq SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;
.fi
.if n \{\
.RE
.\}
.sp
In the above example, the new password isn\*(Aqt actually echoed when typed, but we show what was typed for clarity\&. As you see, the password is encrypted before it is sent to the client\&.
.SH "SEE ALSO"
\fBdropuser\fR(1), CREATE ROLE (\fBCREATE_ROLE\fR(7)), createrole_self_grant