Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Users and Roles

SQL Server Usage

SQL Server provides two layers of security principals: logins at the server level and users at the database level. Logins are mapped to users in one or more databases. Administrators can grant logins server-level permissions that aren’t mapped to particular databases such as database creator, system administrator, and security administrator.

SQL Server also supports roles for both the server and the database levels. At the database level, administrators can create custom roles in addition to the general purpose built-in roles.

For each database, administrators can create users and associate them with logins. At the database level, the built-in roles include db_owner, db_datareader, db_securityadmin, and others. A database user can belong to one or more roles (users are assigned to the public role by default and can’t be removed). Administrators can grant permissions to roles and then assign individual users to the roles to simplify security management.

Logins are authenticated using either Windows Authentication, which uses the Windows Server Active Directory framework for integrated single sign-on, or SQL authentication, which is managed by the SQL Server service and requires a password, certificate, or asymmetric key for identification. You can create logins that use Windows Authentication for individual users and domain groups.

In previous versions of SQL server, the concepts of user and schema were interchangeable. For backward compatibility, each database has several existing schemas, including a default schema named dbo which is owned by the db_owner role. Logins with system administrator privileges are automatically mapped to the dbo user in each database. Typically, you don’t need to migrate these schemas.

Examples

Create a login.

CREATE LOGIN MyLogin WITH PASSWORD = 'MyPassword'

Create a database user for MyLogin.

USE MyDatabase; CREATE USER MyUser FOR LOGIN MyLogin;

Assign MyLogin to a server role.

ALTER SERVER ROLE dbcreator ADD MEMBER 'MyLogin'

Assign MyUser to the db_datareader role.

ALTER ROLE db_datareader ADD MEMBER 'MyUser';

For more information, see Database-level roles in the SQL Server documentation.

PostgreSQL Usage

PostgreSQL supports only roles; there are no users. However, there is a CREATE USER command, which is an alias for CREATE ROLE that automatically includes the LOGIN permission.

Roles are defined at the database cluster level and are valid in all databases in the PostgreSQL cluster.

Syntax

The following example shows a simplified syntax for CREATE ROLE in Amazon Aurora PostgreSQL-Compatible Edition (Aurora PostgreSQL).

CREATE ROLE name [ [ WITH ] option [ ... ] ]

where option can be:

  SUPERUSER | NOSUPERUSER
  | CREATEDB | NOCREATEDB
  | CREATEROLE | NOCREATEROLE
  | INHERIT | NOINHERIT
  | LOGIN | NOLOGIN
  | REPLICATION | NOREPLICATION
  | BYPASSRLS | NOBYPASSRLS
  | CONNECTION LIMIT connlimit
  | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password'
  | VALID UNTIL 'timestamp'
  | IN ROLE role_name [, ...]
  | IN GROUP role_name [, ...]
  | ROLE role_name [, ...]
  | ADMIN role_name [, ...]
  | USER role_name [, ...]
  | SYSID uid

The UNENCRYPTED PASSWORD option was dropped in PostgreSQL 10, the password must be kept encrypted.

Example

Create a new database role called hr_role. Users can use this role to create new databases in the PostgreSQL cluster. Note that this role isn’t able to login to the database and act as a database user. In addition, grant SELECT, INSERT, and DELETE privileges on the hr.employees table to the role.

CREATE ROLE hr_role;
GRANT SELECT, INSERT,DELETE on hr.employees to hr_role;

Summary

The following table summarizes common security tasks and the differences between SQL Server and Aurora PostgreSQL.

For more information, see CREATE ROLE in the PostgreSQL documentation.