User management

This article describes Postgres user and role management within Crunchy Bridge.

Each Postgres instance provisioned within Crunchy Bridge will by default receive at least 3 Postgres roles.

Postgres role - This is your Postgres super user account. Administrators within the team have access to this role. It is not recommended to connect to your application with this role. Intended use of the Postgres role is for administrative functionality of users and permissions of your database. The Postgres user can enable new extensions. By default auditing with pgaudit is enabled for the Postgres role.

Application role - This is a role created that is intended to be connect to your application. Administrators and managers within the team have access to this role. This role has standard permissions to create/modify/destroy tables, insert data, and perform most general operations against your database. By default auditing of the commands run by this role within your Postgres database are disabled.

Individual user roles - On Crunchy Bridge, all members of a team receive a unique user credential to connect to their Crunchy Bridge database. Default permissions for the user role is defined by the "Default database role access" in the Team Settings. This is set when a team is initially created and can be modified by a team administrator:

To change permissions on existing roles or for more fine-grained control over permissions, an administrator with the postgres user role can connect and change the privileges for a specific role. For example, assuming the default for new members had been changed to Write access but you wish to restrict a particular role to read-only access, an administrator could run the following SQL commands:

REVOKE crunchy_write FROM <user_role>;
GRANT crunchy_read TO <user_role>;

User roles naming

The cluster Settings page has a Roles tab where you can see the roles in use. Each individual user created will have a role name that is a unique character string starting with u_. This user role is what you'll need to use if you happen to be searching logs for a user's audit information.

For more information, check out the documentation on Team management.