Skip to content
Learn Netverks

Lesson

Step 29/36 81% through track

roles-security-postgresql

Roles and security

Last reviewed May 28, 2026 Content v20260528
Track mode
sql_sandbox
Means
SQL sandbox
Reading
~2 min
Level
intermediate

This lesson

This lesson teaches Roles and security: the SQL patterns, schema habits, and query reasoning you need before advancing in PostgreSQL.

GRANT/REVOKE and RLS protect multi-tenant SaaS—misconfigured roles are audit findings.

You will apply Roles and security in contexts like: Multi-tenant SaaS, PgBouncer in front of app servers, and least-privilege service accounts.

Copy Postgres SQL into psql, local PostgreSQL, or DB Fiddle (PostgreSQL dialect)—use \d and EXPLAIN ANALYZE where lessons show them. The in-browser lab ships later; psql is the practice path now.

When you can explain the previous lesson's ideas without copying example queries verbatim.

Postgres uses roles for login users and groups. Least-privilege grants limit damage from compromised app credentials.

Create roles and grants

CREATE ROLE app_reader LOGIN PASSWORD 'change-me';
GRANT CONNECT ON DATABASE practice TO app_reader;
GRANT USAGE ON SCHEMA public TO app_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO app_reader;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO app_reader;

Practice: Run on a local Postgres instance you own. Avoid changing production cluster settings.

Row Level Security preview

ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON orders
  USING (tenant_id = current_setting('app.tenant_id')::int);

RLS filters rows per session—multi-tenant SaaS pattern.

Connection security

Use TLS in production, rotate passwords, prefer IAM/auth proxy on managed clouds. Never embed superuser creds in application repos.

Important interview questions and answers

  1. Q: ROLE vs USER?
    A: In modern Postgres, USER is CREATE ROLE with LOGIN—roles are unified.
  2. Q: RLS purpose?
    A: Enforces per-tenant or per-user row visibility inside the database.

Self-check

  1. How do you grant read-only access to all public tables?
  2. Why enable RLS on multi-tenant tables?

Tip: App roles should lack SUPERUSER and CREATE on public in production.

Interview prep

Least privilege?

App role lacks superuser and destructive DDL rights.

RLS?

Row Level Security filters rows per session policy.

Interview tip Lesson completion confidence

Can you explain this lesson in 30 seconds without reading notes?

Not saved yet.

Check yourself

Multiple choice — immediate feedback.

Discussion

Past discussion is visible to everyone. Only logged-in users can post comments and replies.

Starter discussion topics

  • GRANT least privilege?
  • RLS when?

Sign up or log in to post comments and sync lesson progress across devices.

No discussion yet. Be the first to ask a question.

Jump

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36