markdown/reference/sql/SET-ROLE.html.md.erb - hawq-docs - Git at Google

 ---
 title: SET ROLE
 ---

 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->

 Sets the current role identifier of the current session.

 ## <a id="topic1__section2"></a>Synopsis

 ``` pre
 SET [SESSION | LOCAL] ROLE <rolename>
 SET [SESSION | LOCAL] ROLE NONE
 RESET ROLE
 ```

 ## <a id="topic1__section3"></a>Description

 This command sets the current role identifier of the current SQL-session context to be \<rolename\>. The role name may be written as either an identifier or a string literal. After `SET ROLE`, permissions checking for SQL commands is carried out as though the named role were the one that had logged in originally.

 The specified \<rolename\> must be a role that the current session user is a member of. If the session user is a superuser, any role can be selected.

 The `NONE` and `RESET` forms reset the current role identifier to be the current session role identifier. These forms may be executed by any user.

 ## <a id="topic1__section4"></a>Parameters

 <dt>SESSION  </dt>
 <dd>Specifies that the command takes effect for the current session. This is the default.</dd>

 <dt>LOCAL  </dt>
 <dd>Specifies that the command takes effect for only the current transaction. After `COMMIT` or `ROLLBACK`, the session-level setting takes effect again. Note that `SET LOCAL` will appear to have no effect if it is executed outside of a transaction.</dd>

 <dt> \<rolename\>   </dt>
 <dd>The name of a role to use for permissions checking in this session.</dd>

 <dt>NONE
 RESET  </dt>
 <dd>Reset the current role identifier to be the current session role identifier (that of the role used to log in).</dd>

 ## <a id="topic1__section5"></a>Notes

 Using this command, it is possible to either add privileges or restrict privileges. If the session user role has the `INHERITS` attribute, then it automatically has all the privileges of every role that it could `SET ROLE` to; in this case `SET ROLE` effectively drops all the privileges assigned directly to the session user and to the other roles it is a member of, leaving only the privileges available to the named role. On the other hand, if the session user role has the `NOINHERITS` attribute, `SET ROLE` drops the privileges assigned directly to the session user and instead acquires the privileges available to the named role.

 In particular, when a superuser chooses to `SET ROLE` to a non-superuser role, she loses her superuser privileges.

 `SET ROLE` has effects comparable to `SET SESSION AUTHORIZATION`, but the privilege checks involved are quite different. Also, `SET SESSION AUTHORIZATION` determines which roles are allowable for later `SET ROLE` commands, whereas changing roles with `SET ROLE` does not change the set of roles allowed to a later `SET ROLE`.

 ## <a id="topic1__section6"></a>Examples

 ``` sql
 SELECT SESSION_USER, CURRENT_USER;
 ```
 ``` pre
  session_user | current_user
 --------------+--------------
  peter        | peter
 ```
 ``` sql
 SET ROLE 'paul';
 SELECT SESSION_USER, CURRENT_USER;
 ```
 ``` pre
  session_user | current_user
 --------------+--------------
  peter        | paul
 ```

 ## <a id="topic1__section7"></a>Compatibility

 HAWQ allows identifier syntax (\<rolename\>), while the SQL standard requires the role name to be written as a string literal. SQL does not allow this command during a transaction; HAWQ does not make this restriction. The `SESSION` and `LOCAL` modifiers are a HAWQ extension, as is the `RESET` syntax.

 ## <a id="topic1__section8"></a>See Also

 [SET SESSION AUTHORIZATION](SET-SESSION-AUTHORIZATION.html)
	---
	title: SET ROLE
	---

	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->

	Sets the current role identifier of the current session.

	## <a id="topic1__section2"></a>Synopsis

	``` pre
	SET [SESSION \| LOCAL] ROLE <rolename>
	SET [SESSION \| LOCAL] ROLE NONE
	RESET ROLE
	```

	## <a id="topic1__section3"></a>Description

	This command sets the current role identifier of the current SQL-session context to be \<rolename\>. The role name may be written as either an identifier or a string literal. After `SET ROLE`, permissions checking for SQL commands is carried out as though the named role were the one that had logged in originally.

	The specified \<rolename\> must be a role that the current session user is a member of. If the session user is a superuser, any role can be selected.

	The `NONE` and `RESET` forms reset the current role identifier to be the current session role identifier. These forms may be executed by any user.

	## <a id="topic1__section4"></a>Parameters

	<dt>SESSION </dt>
	<dd>Specifies that the command takes effect for the current session. This is the default.</dd>

	<dt>LOCAL </dt>
	<dd>Specifies that the command takes effect for only the current transaction. After `COMMIT` or `ROLLBACK`, the session-level setting takes effect again. Note that `SET LOCAL` will appear to have no effect if it is executed outside of a transaction.</dd>

	<dt> \<rolename\> </dt>
	<dd>The name of a role to use for permissions checking in this session.</dd>

	<dt>NONE
	RESET </dt>
	<dd>Reset the current role identifier to be the current session role identifier (that of the role used to log in).</dd>

	## <a id="topic1__section5"></a>Notes

	Using this command, it is possible to either add privileges or restrict privileges. If the session user role has the `INHERITS` attribute, then it automatically has all the privileges of every role that it could `SET ROLE` to; in this case `SET ROLE` effectively drops all the privileges assigned directly to the session user and to the other roles it is a member of, leaving only the privileges available to the named role. On the other hand, if the session user role has the `NOINHERITS` attribute, `SET ROLE` drops the privileges assigned directly to the session user and instead acquires the privileges available to the named role.

	In particular, when a superuser chooses to `SET ROLE` to a non-superuser role, she loses her superuser privileges.

	`SET ROLE` has effects comparable to `SET SESSION AUTHORIZATION`, but the privilege checks involved are quite different. Also, `SET SESSION AUTHORIZATION` determines which roles are allowable for later `SET ROLE` commands, whereas changing roles with `SET ROLE` does not change the set of roles allowed to a later `SET ROLE`.

	## <a id="topic1__section6"></a>Examples

	``` sql
	SELECT SESSION_USER, CURRENT_USER;
	```
	``` pre
	session_user \| current_user
	--------------+--------------
	peter \| peter
	```
	``` sql
	SET ROLE 'paul';
	SELECT SESSION_USER, CURRENT_USER;
	```
	``` pre
	session_user \| current_user
	--------------+--------------
	peter \| paul
	```

	## <a id="topic1__section7"></a>Compatibility

	HAWQ allows identifier syntax (\<rolename\>), while the SQL standard requires the role name to be written as a string literal. SQL does not allow this command during a transaction; HAWQ does not make this restriction. The `SESSION` and `LOCAL` modifiers are a HAWQ extension, as is the `RESET` syntax.

	## <a id="topic1__section8"></a>See Also

	[SET SESSION AUTHORIZATION](SET-SESSION-AUTHORIZATION.html)