DEV Community

Talha Munir 🇵🇸
Talha Munir 🇵🇸

Posted on • Edited on

What can a pg_ba_admin do and what they can't

Now we will discuss what a pg_ba_admin role can do, and what actions are out of the reach of the user with this role.

What can a pg_ba admin role do:
A user with a pg_ba_admin role can perform many operations typically reserved for the Postgres superuser. For example, they can:

  • Create roles
  • Create Databases
  • Create, modify, and delete any non-superuser role which also includes the setting of passwords.
  • SET Another role for any user except the superuser without the need for a password.
  • Read the data from all the Postgres system catalogs in pg_catalog.
  • Read and write to all user objects such as tables, views, etc.
  • Perform all monitoring functions on the Postgres instance.
  • Install supported extensions for EDB.
  • Grant pg_checkpoint role to itself and to other users.

What a pg_ba_admin can't do:
There are certain roles and actions that can't be performed by pg_ba_admin. Some of them are mentioned below:

  • Can't execute programs on the server.
  • Can't Create tablespaces, casts, operator classes, access methods, and text search templates.
  • Can't read or write files on the server. pg_ba_admin does not have permission to read or write server files.
  • Can't Define LeakProof functions.
  • Can't install unsupported extensions.
  • Can't execute set session authorization.
  • Can't execute reindex system catalogs.
  • Can't create a language with custom handlers.

Top comments (0)