PSEUDOSUPERUSER Role

The special PSEUDOSUPERUSER role is automatically created in each database. A superuser (or someone with the PSEUDOSUPERUSER role) can perform grant and revoke on this role. The PSEUDOSUPERUSER cannot revoke or change any superuser privileges.

Users with the PSEUDOSUPERUSER role are entitled to complete administrative privileges, including the ability to:

• Create schemas
• Create and grant privileges to roles
• Bypass all GRANT/REVOKE authorization
• Set user account's passwords
• Lock and unlock user accounts
• Create or drop a UDF library
• Create or drop a UDF function
• Create or drop an external procedure
• Add or edit comments on nodes
• Create or drop password profiles

You cannot revoke any of these privileges from a PSEUDOSUPERUSER.

You can assign additional privileges to the PSEUDOSUPERUSER role, but you cannot assign any additional roles; for example, the following is not allowed:

=> CREATE ROLE appviewer;
CREATE ROLE
=> GRANT appviewer TO pseudosuperuser;
ROLLBACK 2347:  Cannot alter predefined role "pseudosuperuser"