How to get all roles that a user is a member of (including inherited roles)?

Question

Let's say I have two Postgresql database groups, "authors" and "editors", and two users, "maxwell" and "ernest".

create role authors;

create role editors;

create user maxwell;

create user ernest;

grant authors to editors; --editors can do what authors can do

grant editors to maxwell; --maxwell is an editor

grant authors to ernest; --ernest is an author

I would like to write a performant function that returns a list of the roles (preferably their oid's) that maxwell belongs to, something like this:

create or replace function get_all_roles() returns oid[] ...

It should return the oids for maxwell, authors, and editors (but not ernest).

But I am not sure how to do it when there is inheritance.

Erwin Brandstetter · Accepted Answer · 2020-02-21T19:17:32.130

56

You can query the system catalog with a recursive query, in particular pg_auth_members:

WITH RECURSIVE cte AS (
   SELECT oid FROM pg_roles WHERE rolname = 'maxwell'

   UNION ALL
   SELECT m.roleid
   FROM   cte
   JOIN   pg_auth_members m ON m.member = cte.oid
   )
SELECT oid, oid::regrole::text AS rolename FROM cte;  -- oid & name

The manual about the cast to object identifier type regrole.

BTW 1: INHERIT is the default behavior of CREATE ROLE and doesn't have to be spelled out.

BTW 2: circular dependencies are not possible. Postgres disallows that. So we don't have to check for that.

edited Feb 21 '20 at 19:17

answered Jan 03 '14 at 22:42

Erwin Brandstetter

175,982
27
439
600

How can I see the role name instead of only the id? – david.perez Feb 19 '20 at 11:04
1

@david.perez: I added the role name and some explanation above. – Erwin Brandstetter Feb 21 '20 at 19:20
"INHERIT is the default behavior of and doesn't have to be spelled out." - don't you still need to check for that in the JOIN though? – Bergi Jan 24 '23 at 14:52
Is it possible to go the other way? So instead of getting all parents get all children? – baxx Mar 27 '24 at 11:20

score 30 · Answer 2 · edited Apr 13 '17 at 12:42

This is a simplified version of Craig Ringer's answer that a non superuser can use directly:

 SELECT oid, rolname FROM pg_roles WHERE
   pg_has_role( 'maxwell', oid, 'member');

pg_roles is essentially a view on pg_authid accessible to public, as it doesn't reveal passwords, contrary to pg_authid. The base oid is even exported into the view. When not needing passwords, there's no point in creating the dedicated superuser-owned function.

Craig Ringer · Answer 3 · 2014-01-04T01:26:17.623

Short version:

SELECT a.oid 
FROM pg_authid a 
WHERE pg_has_role('maxwell', a.oid, 'member');

Here we use a version of pg_has_role that takes a role name as the subject and role oid to test for membership, passing member mode so we test for inherited memberships.

The advantage of using pg_has_role is that it uses PostgreSQL's internal caches of role information to satisfy membership queries quickly.

You might want to wrap this in a SECURITY DEFINER function, since pg_authid has restricted access. Something like:

CREATE OR REPLACE FUNCTION user_role_memberships(text)
RETURNS SETOF oid
LANGUAGE sql
SECURITY DEFINER
SET search_path = pg_catalog, pg_temp
AS $$
SELECT a.oid 
FROM pg_authid a 
WHERE pg_has_role($1, a.oid, 'member');
$$;

REVOKE EXECUTE ON FUNCTION user_role_memberships(text) FROM public;

GRANT EXECUTE ON FUNCTION user_role_memberships(text) TO ...whoever...;

You can use pg_get_userbyid(oid) to get the role name from the oid without the need to query pg_authid:

SELECT a.oid AS member_oid, pg_get_userbyid(oid) AS member_name
FROM pg_authid a 
WHERE pg_has_role('maxwell', a.oid, 'member');

+1 anyway, since pg_has_role() is probably a bit faster than my recursive query, even if that hardly matters. One last thing though: it returns all roles for supersusers, which may or may not be a welcome side effect. That's where the result differs from my query. — Erwin Brandstetter, Jan 04 '14 at 01:31

score 6 · Answer 4 · answered Feb 24 '19 at 07:17

6

Here is my take on it. It works for one specific user or all users.

select a.oid as user_role_id
, a.rolname as user_role_name
, b.roleid as other_role_id
, c.rolname as other_role_name
from pg_roles a
inner join pg_auth_members b on a.oid=b.member
inner join pg_roles c on b.roleid=c.oid 
where a.rolname = 'user_1'

answered Feb 24 '19 at 07:17

Alexis.Rolland

161
1
3

2

This would be much improved if you explained how if differed from, and improved upon, the previous answers. You can edit the additional information directly into the answer. – Michael Green Feb 24 '19 at 10:07

score 1 · Answer 5 · edited Feb 05 '19 at 16:38

1

I believe this will do it

SELECT 
    oid 
FROM 
    pg_roles 
WHERE 
    oid IN (SELECT 
                roleid 
            FROM 
                pg_auth_members 
            WHERE 
                member=(SELECT oid FROM pg_roles WHERE rolname='maxwell'));

If you prefer to get the role names then replace the first oid with rolname.

edited Feb 05 '19 at 16:38

McNets

23,749
10
48
88

answered Feb 05 '19 at 15:21

SureShotUK

11
1

Use oid::regrole::text column to get roles name – Kiruahxh Dec 09 '21 at 08:54
This ignores multi-level inheritance afaict – Bergi Jan 24 '23 at 16:27

score 1 · Answer 6 · answered Jul 02 '19 at 22:19

if you want to know all roles of your currently active role:

CREATE OR REPLACE VIEW public.my_roles
AS WITH RECURSIVE cte AS (
         SELECT pg_roles.oid,
            pg_roles.rolname
           FROM pg_roles
          WHERE pg_roles.rolname = CURRENT_USER
        UNION ALL
         SELECT m.roleid,
            pgr.rolname
           FROM cte cte_1
             JOIN pg_auth_members m ON m.member = cte_1.oid
             JOIN pg_roles pgr ON pgr.oid = m.roleid
        )
 SELECT array_agg(cte.rolname) AS my_roles
   FROM cte;

How to get all roles that a user is a member of (including inherited roles)?

6 Answers6

Linked