set_user

similar to SET ROLE but with added logging

Overview

Package	Version	Category	License	Language
`set_user`	`4.2.0`	SEC	PostgreSQL	C

ID	Extension	Bin	Lib	Load	Create	Trust	Reloc	Schema
7370	`set_user`	No	Yes	No	Yes	No	No	-

Related	`pg_readonly` `pg_permissions` `pgaudit` `login_hook` `pgauditlogtofile` `pg_auth_mon` `credcheck` `pgextwlist`

Version

Type	Repo	Version	PG Ver	Package	Deps
EXT	PGDG	`4.2.0`	1817161514	`set_user`	-
RPM	PGDG	`4.2.0`	1817161514	`set_user_$v`	-
DEB	PGDG	`4.2.0`	1817161514	`postgresql-$v-set-user`	-

OS / PG	PG18	PG17	PG16	PG15	PG14
el8.x86_64	PGDG 4.2.0 el8.x86_64.pg18 : set_user_18 set_user_18-4.2.0-1PGDG.rhel8.x86_64.rpm PGDG · 4.2.0 · 26.8KiB	PGDG 4.1.0 el8.x86_64.pg17 : set_user_17 set_user_17-4.1.0-1PGDG.rhel8.x86_64.rpm PGDG · 4.1.0 · 26.4KiB	PGDG 4.1.0 el8.x86_64.pg16 : set_user_16 set_user_16-4.1.0-1PGDG.rhel8.x86_64.rpm PGDG · 4.1.0 · 26.4KiB set_user_16-4.0.1-2.rhel8.1.x86_64.rpm PGDG · 4.0.1 · 26.2KiB	PGDG 4.1.0 el8.x86_64.pg15 : set_user_15 set_user_15-4.1.0-1PGDG.rhel8.x86_64.rpm PGDG · 4.1.0 · 26.3KiB set_user_15-4.0.1-2.rhel8.x86_64.rpm PGDG · 4.0.1 · 26.0KiB set_user_15-4.0.0-1.rhel8.x86_64.rpm PGDG · 4.0.0 · 25.5KiB	PGDG 4.1.0 el8.x86_64.pg14 : set_user_14 set_user_14-4.1.0-1PGDG.rhel8.x86_64.rpm PGDG · 4.1.0 · 26.3KiB set_user_14-4.0.1-2.rhel8.x86_64.rpm PGDG · 4.0.1 · 26.0KiB set_user_14-4.0.0-1.rhel8.x86_64.rpm PGDG · 4.0.0 · 25.5KiB set_user_14-3.0.0-1.rhel8.x86_64.rpm PGDG · 3.0.0 · 25.3KiB
el8.aarch64	PGDG 4.2.0 el8.aarch64.pg18 : set_user_18 set_user_18-4.2.0-1PGDG.rhel8.aarch64.rpm PGDG · 4.2.0 · 26.5KiB	PGDG 4.1.0 el8.aarch64.pg17 : set_user_17 set_user_17-4.1.0-1PGDG.rhel8.aarch64.rpm PGDG · 4.1.0 · 26.1KiB	PGDG 4.1.0 el8.aarch64.pg16 : set_user_16 set_user_16-4.1.0-1PGDG.rhel8.aarch64.rpm PGDG · 4.1.0 · 26.2KiB set_user_16-4.0.1-2.rhel8.1.aarch64.rpm PGDG · 4.0.1 · 25.9KiB	PGDG 4.1.0 el8.aarch64.pg15 : set_user_15 set_user_15-4.1.0-1PGDG.rhel8.aarch64.rpm PGDG · 4.1.0 · 26.1KiB set_user_15-4.0.1-2.rhel8.aarch64.rpm PGDG · 4.0.1 · 25.8KiB set_user_15-4.0.0-1.rhel8.aarch64.rpm PGDG · 4.0.0 · 25.2KiB	PGDG 4.1.0 el8.aarch64.pg14 : set_user_14 set_user_14-4.1.0-1PGDG.rhel8.aarch64.rpm PGDG · 4.1.0 · 26.1KiB set_user_14-4.0.1-2.rhel8.aarch64.rpm PGDG · 4.0.1 · 25.7KiB set_user_14-4.0.0-1.rhel8.aarch64.rpm PGDG · 4.0.0 · 25.2KiB set_user_14-3.0.0-1.rhel8.aarch64.rpm PGDG · 3.0.0 · 25.1KiB
el9.x86_64	PGDG 4.2.0 el9.x86_64.pg18 : set_user_18 set_user_18-4.2.0-1PGDG.rhel9.x86_64.rpm PGDG · 4.2.0 · 26.5KiB	PGDG 4.1.0 el9.x86_64.pg17 : set_user_17 set_user_17-4.1.0-1PGDG.rhel9.x86_64.rpm PGDG · 4.1.0 · 26.5KiB	PGDG 4.1.0 el9.x86_64.pg16 : set_user_16 set_user_16-4.1.0-1PGDG.rhel9.x86_64.rpm PGDG · 4.1.0 · 26.5KiB set_user_16-4.0.1-2.rhel9.1.x86_64.rpm PGDG · 4.0.1 · 26.3KiB	PGDG 4.1.0 el9.x86_64.pg15 : set_user_15 set_user_15-4.1.0-1PGDG.rhel9.x86_64.rpm PGDG · 4.1.0 · 26.4KiB set_user_15-4.0.1-2.rhel9.x86_64.rpm PGDG · 4.0.1 · 26.1KiB set_user_15-4.0.0-1.rhel9.x86_64.rpm PGDG · 4.0.0 · 25.8KiB	PGDG 4.1.0 el9.x86_64.pg14 : set_user_14 set_user_14-4.1.0-1PGDG.rhel9.x86_64.rpm PGDG · 4.1.0 · 26.4KiB set_user_14-4.0.1-2.rhel9.x86_64.rpm PGDG · 4.0.1 · 26.1KiB set_user_14-4.0.0-1.rhel9.x86_64.rpm PGDG · 4.0.0 · 25.8KiB
el9.aarch64	PGDG 4.2.0 el9.aarch64.pg18 : set_user_18 set_user_18-4.2.0-1PGDG.rhel9.aarch64.rpm PGDG · 4.2.0 · 25.8KiB	PGDG 4.1.0 el9.aarch64.pg17 : set_user_17 set_user_17-4.1.0-1PGDG.rhel9.aarch64.rpm PGDG · 4.1.0 · 25.8KiB	PGDG 4.1.0 el9.aarch64.pg16 : set_user_16 set_user_16-4.1.0-1PGDG.rhel9.aarch64.rpm PGDG · 4.1.0 · 25.9KiB set_user_16-4.0.1-2.rhel9.1.aarch64.rpm PGDG · 4.0.1 · 25.6KiB	PGDG 4.1.0 el9.aarch64.pg15 : set_user_15 set_user_15-4.1.0-1PGDG.rhel9.aarch64.rpm PGDG · 4.1.0 · 25.8KiB set_user_15-4.0.1-2.rhel9.aarch64.rpm PGDG · 4.0.1 · 25.4KiB set_user_15-4.0.0-1.rhel9.aarch64.rpm PGDG · 4.0.0 · 25.1KiB	PGDG 4.1.0 el9.aarch64.pg14 : set_user_14 set_user_14-4.1.0-1PGDG.rhel9.aarch64.rpm PGDG · 4.1.0 · 25.8KiB set_user_14-4.0.1-2.rhel9.aarch64.rpm PGDG · 4.0.1 · 25.4KiB set_user_14-4.0.0-1.rhel9.aarch64.rpm PGDG · 4.0.0 · 25.1KiB set_user_14-3.0.0-1.rhel9.aarch64.rpm PGDG · 3.0.0 · 25.0KiB
el10.x86_64	PGDG 4.2.0 el10.x86_64.pg18 : set_user_18 set_user_18-4.2.0-1PGDG.rhel10.x86_64.rpm PGDG · 4.2.0 · 27.0KiB	PGDG 4.1.0 el10.x86_64.pg17 : set_user_17 set_user_17-4.1.0-2PGDG.rhel10.x86_64.rpm PGDG · 4.1.0 · 26.8KiB	PGDG 4.1.0 el10.x86_64.pg16 : set_user_16 set_user_16-4.1.0-2PGDG.rhel10.x86_64.rpm PGDG · 4.1.0 · 26.8KiB	PGDG 4.1.0 el10.x86_64.pg15 : set_user_15 set_user_15-4.1.0-2PGDG.rhel10.x86_64.rpm PGDG · 4.1.0 · 26.7KiB	PGDG 4.1.0 el10.x86_64.pg14 : set_user_14 set_user_14-4.1.0-2PGDG.rhel10.x86_64.rpm PGDG · 4.1.0 · 26.7KiB
el10.aarch64	PGDG 4.2.0 el10.aarch64.pg18 : set_user_18 set_user_18-4.2.0-1PGDG.rhel10.aarch64.rpm PGDG · 4.2.0 · 26.5KiB	PGDG 4.1.0 el10.aarch64.pg17 : set_user_17 set_user_17-4.1.0-2PGDG.rhel10.aarch64.rpm PGDG · 4.1.0 · 26.4KiB	PGDG 4.1.0 el10.aarch64.pg16 : set_user_16 set_user_16-4.1.0-2PGDG.rhel10.aarch64.rpm PGDG · 4.1.0 · 26.4KiB	PGDG 4.1.0 el10.aarch64.pg15 : set_user_15 set_user_15-4.1.0-2PGDG.rhel10.aarch64.rpm PGDG · 4.1.0 · 26.3KiB	PGDG 4.1.0 el10.aarch64.pg14 : set_user_14 set_user_14-4.1.0-2PGDG.rhel10.aarch64.rpm PGDG · 4.1.0 · 26.3KiB
d12.x86_64	PGDG 4.2.0 d12.x86_64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg12+1_amd64.deb PGDG · 4.2.0 · 35.1KiB	PGDG 4.2.0 d12.x86_64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg12+1_amd64.deb PGDG · 4.2.0 · 35.0KiB	PGDG 4.2.0 d12.x86_64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg12+1_amd64.deb PGDG · 4.2.0 · 35.0KiB	PGDG 4.2.0 d12.x86_64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg12+1_amd64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 d12.x86_64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg12+1_amd64.deb PGDG · 4.2.0 · 34.7KiB
d12.aarch64	PGDG 4.2.0 d12.aarch64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg12+1_arm64.deb PGDG · 4.2.0 · 34.7KiB	PGDG 4.2.0 d12.aarch64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg12+1_arm64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 d12.aarch64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg12+1_arm64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 d12.aarch64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg12+1_arm64.deb PGDG · 4.2.0 · 34.2KiB	PGDG 4.2.0 d12.aarch64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg12+1_arm64.deb PGDG · 4.2.0 · 34.2KiB
d13.x86_64	PGDG 4.2.0 d13.x86_64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg13+1_amd64.deb PGDG · 4.2.0 · 35.1KiB	PGDG 4.2.0 d13.x86_64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg13+1_amd64.deb PGDG · 4.2.0 · 35.0KiB	PGDG 4.2.0 d13.x86_64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg13+1_amd64.deb PGDG · 4.2.0 · 35.0KiB	PGDG 4.2.0 d13.x86_64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg13+1_amd64.deb PGDG · 4.2.0 · 34.7KiB	PGDG 4.2.0 d13.x86_64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg13+1_amd64.deb PGDG · 4.2.0 · 34.7KiB
d13.aarch64	PGDG 4.2.0 d13.aarch64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg13+1_arm64.deb PGDG · 4.2.0 · 34.8KiB	PGDG 4.2.0 d13.aarch64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg13+1_arm64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 d13.aarch64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg13+1_arm64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 d13.aarch64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg13+1_arm64.deb PGDG · 4.2.0 · 34.3KiB	PGDG 4.2.0 d13.aarch64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg13+1_arm64.deb PGDG · 4.2.0 · 34.2KiB
u22.x86_64	PGDG 4.2.0 u22.x86_64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg22.04+1_amd64.deb PGDG · 4.2.0 · 35.1KiB	PGDG 4.2.0 u22.x86_64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg22.04+1_amd64.deb PGDG · 4.2.0 · 39.0KiB	PGDG 4.2.0 u22.x86_64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg22.04+1_amd64.deb PGDG · 4.2.0 · 38.5KiB	PGDG 4.2.0 u22.x86_64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg22.04+1_amd64.deb PGDG · 4.2.0 · 38.2KiB	PGDG 4.2.0 u22.x86_64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg22.04+1_amd64.deb PGDG · 4.2.0 · 38.1KiB
u22.aarch64	PGDG 4.2.0 u22.aarch64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg22.04+1_arm64.deb PGDG · 4.2.0 · 34.7KiB	PGDG 4.2.0 u22.aarch64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg22.04+1_arm64.deb PGDG · 4.2.0 · 38.6KiB	PGDG 4.2.0 u22.aarch64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg22.04+1_arm64.deb PGDG · 4.2.0 · 38.1KiB	PGDG 4.2.0 u22.aarch64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg22.04+1_arm64.deb PGDG · 4.2.0 · 37.8KiB	PGDG 4.2.0 u22.aarch64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg22.04+1_arm64.deb PGDG · 4.2.0 · 37.8KiB
u24.x86_64	PGDG 4.2.0 u24.x86_64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg24.04+1_amd64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 u24.x86_64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg24.04+1_amd64.deb PGDG · 4.2.0 · 34.6KiB	PGDG 4.2.0 u24.x86_64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg24.04+1_amd64.deb PGDG · 4.2.0 · 34.5KiB	PGDG 4.2.0 u24.x86_64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg24.04+1_amd64.deb PGDG · 4.2.0 · 34.2KiB	PGDG 4.2.0 u24.x86_64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg24.04+1_amd64.deb PGDG · 4.2.0 · 34.2KiB
u24.aarch64	PGDG 4.2.0 u24.aarch64.pg18 : postgresql-18-set-user postgresql-18-set-user_4.2.0-1.pgdg24.04+1_arm64.deb PGDG · 4.2.0 · 34.1KiB	PGDG 4.2.0 u24.aarch64.pg17 : postgresql-17-set-user postgresql-17-set-user_4.2.0-1.pgdg24.04+1_arm64.deb PGDG · 4.2.0 · 34.1KiB	PGDG 4.2.0 u24.aarch64.pg16 : postgresql-16-set-user postgresql-16-set-user_4.2.0-1.pgdg24.04+1_arm64.deb PGDG · 4.2.0 · 34.0KiB	PGDG 4.2.0 u24.aarch64.pg15 : postgresql-15-set-user postgresql-15-set-user_4.2.0-1.pgdg24.04+1_arm64.deb PGDG · 4.2.0 · 33.7KiB	PGDG 4.2.0 u24.aarch64.pg14 : postgresql-14-set-user postgresql-14-set-user_4.2.0-1.pgdg24.04+1_arm64.deb PGDG · 4.2.0 · 33.7KiB

Install

You can install set_user directly. First, make sure the PGDG repository is added and enabled:

pig repo add pgdg -u          # Add PGDG repo and update cache

Install the extension using pig or apt/yum/dnf:

pig install set_user;          # Install for current active PG version

pig ext install -y set_user -v 18  # PG 18
pig ext install -y set_user -v 17  # PG 17
pig ext install -y set_user -v 16  # PG 16
pig ext install -y set_user -v 15  # PG 15
pig ext install -y set_user -v 14  # PG 14

dnf install -y set_user_18       # PG 18
dnf install -y set_user_17       # PG 17
dnf install -y set_user_16       # PG 16
dnf install -y set_user_15       # PG 15
dnf install -y set_user_14       # PG 14

apt install -y postgresql-18-set-user   # PG 18
apt install -y postgresql-17-set-user   # PG 17
apt install -y postgresql-16-set-user   # PG 16
apt install -y postgresql-15-set-user   # PG 15
apt install -y postgresql-14-set-user   # PG 14

Create Extension:

CREATE EXTENSION set_user;

Usage

set_user: User switching with enhanced logging and control

set_user allows switching users and optional privilege escalation with enhanced audit logging. It provides an additional layer of control when unprivileged users must escalate to superuser or object owner roles for maintenance tasks.

CREATE EXTENSION set_user;

Configuration

Add to postgresql.conf:

shared_preload_libraries = 'set_user'

Parameter	Default	Description
`set_user.block_alter_system`	`on`	Block ALTER SYSTEM when escalated
`set_user.block_copy_program`	`on`	Block COPY PROGRAM when escalated
`set_user.block_log_statement`	`on`	Block SET log_statement; force `log_statement=all` for superusers
`set_user.superuser_allowlist`	`*`	Roles allowed to escalate to superuser
`set_user.nosuperuser_target_allowlist`	`*`	Roles allowed as non-superuser targets
`set_user.superuser_audit_tag`	`AUDIT`	Tag appended to log_line_prefix on escalation

Functions

-- Switch to a non-superuser role
SELECT set_user('dbclient');

-- Escalate to superuser (requires EXECUTE on set_user_u)
SELECT set_user_u('postgres');

-- Switch with a token (token required for reset)
SELECT set_user('dbclient', 'my_secret_token');

-- Reset back to original user
SELECT reset_user();
SELECT reset_user('my_secret_token');  -- if token was used

-- Irrevocable session auth switch
SELECT set_session_auth('target_role');

Permission Setup

-- Allow role to switch to non-superuser roles
GRANT EXECUTE ON FUNCTION set_user(text) TO admin;

-- Allow role to escalate to superuser
GRANT EXECUTE ON FUNCTION set_user_u(text) TO dba;

Behavior on Escalation

When escalating to a superuser role:

The role transition is logged with a specific notation
ALTER SYSTEM and COPY PROGRAM are blocked (if configured)
log_statement is forced to all for full audit trail
The AUDIT tag is appended to log_line_prefix

Feedback

Was this page helpful?

Thanks for the feedback! Please let us know how we can improve.

Sorry to hear that. Please let us know how we can improve.

Last Modified 2026-03-12: add pg extension catalog (95749bf)