Adding Roles for LDAP Logins
A role manager assigns a DSE role by matching the username provided for authentication with a DSE role name. Create a role for each LDAP user who needs to access the database.
loginrole that matches the
CREATE ROLE <ldap_user_role> WITH LOGIN = true;
<ldap_user_role>- The username passed from the authenticator to the role manager; the string is exactly as the user entered it at login, including case.
LOGIN - Required to allow the user basic access to the database.
SUPERUSER - Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
Do NOT set a password.
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to <ldap_user_role>;
To allow another role to manage the new role:
GRANT AUTHORIZE FOR ALTER, DROP ON <new_role_name> TO <management_role>;
All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.