--- title: "pg_authid" id: catalog-pg-authid pg_version: "20devel" --- ## 52.8. pg_authid The catalog pg_authid contains information about database authorization identifiers (roles). A role subsumes the concepts of "users" and "groups". A user is essentially just a role with the `rolcanlogin` flag set. Any role (with or without `rolcanlogin`) can have other roles as members; see [pg_auth_members](catalog-pg-auth-members.md). Since this catalog contains passwords, it must not be publicly readable. [pg_roles](view-pg-roles.md) is a publicly readable view on pg_authid that blanks out the password field. [Chapter 21](user-manag.md) contains detailed information about user and privilege management. Because user identities are cluster-wide, pg_authid is shared across all databases of a cluster: there is only one copy of pg_authid per cluster, not one per database. **pg_authid Columns** | Column Type | Description | | --- | --- | | `oid` `oid` | Row identifier | | `rolname` `name` | Role name | | `rolsuper` `bool` | Role has superuser privileges | | `rolinherit` `bool` | Role automatically inherits privileges of roles it is a member of | | `rolcreaterole` `bool` | Role can create more roles | | `rolcreatedb` `bool` | Role can create databases | | `rolcanlogin` `bool` | Role can log in. That is, this role can be given as the initial session authorization identifier. | | `rolreplication` `bool` | Role is a replication role. A replication role can initiate replication connections and create and drop replication slots. | | `rolbypassrls` `bool` | Role bypasses every row-level security policy, see [Section 5.10](ddl-rowsecurity.md) for more information. | | `rolconnlimit` `int4` | For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit. | | `rolpassword` `text` | Encrypted password; null if none. The format depends on the form of encryption used. | | `rolvaliduntil` `timestamptz` | Password expiry time (only used for password authentication); null if no expiration | For an MD5 encrypted password, `rolpassword` column will begin with the string `md5` followed by a 32-character hexadecimal MD5 hash. The MD5 hash will be of the user's password concatenated to their user name. For example, if user `joe` has password `xyzzy`, PostgreSQL will store the md5 hash of `xyzzyjoe`. > [!WARNING] > Support for MD5-encrypted passwords is deprecated and will be removed in a future release of PostgreSQL. Refer to [Section 20.5](auth-password.md) for details about migrating to another password type. If the password is encrypted with SCRAM-SHA-256, it has the format: ``` SCRAM-SHA-256$:$: ``` where `salt`, `StoredKey` and `ServerKey` are in Base64 encoded format. This format is the same as that specified by [RFC 5803](https://datatracker.ietf.org/doc/html/rfc5803).