This page describes how AlloyDB Omni on a VM works with PostgreSQL roles. This page assumes that you are familiar with PostgreSQL.
An AlloyDB Omni database uses the standard PostgreSQL concept of roles. A role can act as a database user, a group of users, or both.
A user role has the LOGIN privilege that lets users sign in to the AlloyDB Omni system. A group role has member roles with various privileges, which you can grant to or revoke from all members at once.
AlloyDB Omni predefined PostgreSQL roles
PostgreSQL has a set of predefined roles with various privileges. AlloyDB Omni adds several user and group roles to this set of PostgreSQL's predefined roles.
The following table lists the PostgreSQL roles that AlloyDB Omni predefines:
| Role name | Privileges |
|---|---|
alloydbadmin |
SUPERUSER (which includes CREATEROLE, CREATEDB, and LOGIN). |
alloydbmetadata |
By default, this role does not have any privileges. |
In addition, AlloyDB Omni reserves the following role names that are unused but may be used in the future.
| Role name | Privileges |
|---|---|
alloydbagent |
NOLOGIN |
alloydbexport |
NOLOGIN |
alloydbiamgroupuser |
NOLOGIN |
alloydbiamuser |
NOLOGIN |
alloydbimportexport |
NOLOGIN |
alloydbobservability |
NOLOGIN |
alloydbreplica |
NOLOGIN |
alloydbsqllogical |
NOLOGIN |
alloydbsuperuser |
NOLOGIN |
The alloydbadmin user role
The alloydbadmin role is a predefined role that sets up
the database system and performs other superuser tasks. This role has the following privileges:
- Create extensions that require superuser privileges
- Create event triggers
- Create replication users
- Create replication publications and subscriptions
This role is only used by AlloyDB Omni internal tools and shouldn't be used by users.
The alloydbmetadata role
The alloydbmetadata role is a predefined role with fewer privileges, also used by AlloyDB Omni internally. Similar to alloydbadmin, this role shouldn't be used by other users.