Now we will discuss what a pg_ba_admin role can do, and what actions are out of the reach of the user with this role.
What can a pg_ba admin role do:
A user with a pg_ba_admin role can perform many operations typically reserved for the Postgres superuser. For example, they can:
- Create roles
- Create Databases
- Create, modify, and delete any non-superuser role which also includes the setting of passwords.
- SET Another role for any user except the superuser without the need for a password.
- Read the data from all the Postgres system catalogs in pg_catalog.
- Read and write to all user objects such as tables, views, etc.
- Perform all monitoring functions on the Postgres instance.
- Install supported extensions for EDB.
- Grant pg_checkpoint role to itself and to other users.
What a pg_ba_admin can't do:
There are certain roles and actions that can't be performed by pg_ba_admin. Some of them are mentioned below:
- Can't execute programs on the server.
- Can't Create tablespaces, casts, operator classes, access methods, and text search templates.
- Can't read or write files on the server. pg_ba_admin does not have permission to read or write server files.
- Can't Define LeakProof functions.
- Can't install unsupported extensions.
- Can't execute set session authorization.
- Can't execute reindex system catalogs.
- Can't create a language with custom handlers.
Top comments (0)