Skip to main content

PostgreSQL

Description

The PostgreSQL connector scans a PostgreSQL instance via JDBC (pgjdbc) to discover all database roles, their privilege attributes, and role membership hierarchy. In PostgreSQL, both users and groups are represented as roles — login roles are treated as user accounts, and non-login roles are treated as groups.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority500

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

PostgreSQL scanning requires a Pro or Enterprise licence.

Supported Protocol

ProtocolPortNotes
JDBC / PostgreSQL Protocol (TCP)5432 TCPDefault; configurable per instance

What OrbisID Discovers

DataSource
All roles (users and groups)pg_catalog.pg_roles
Role attributes (superuser, createdb, etc.)pg_catalog.pg_roles
Role membershipspg_catalog.pg_auth_members
Login capabilityrolcanlogin — determines user vs group
Account expiryrolvaliduntil

Privileged Role Detection

Non-login (group) roles are flagged as privileged when any of the following attributes are set. Login roles (accounts) that hold these attributes directly — rather than inheriting them from a group role — are additionally discovered as their own privileged Entitlements of type PG_ROLE_ATTRIBUTE, so an account like the default postgres superuser is correctly reported as privileged even though it isn't a member of any group role:

AttributeEntitlement nameMeaning
rolsuperSUPERUSERSuperuser — bypasses all permission checks
rolcreateroleCREATEROLECan create, alter, and drop other roles
rolreplicationREPLICATIONCan initiate replication
rolbypassrlsBYPASSRLSBypasses row-level security policies

Connection Requirements

Credential Requirements

Recommended: Create a dedicated PostgreSQL role for OrbisID with read access to the system catalogue:

-- Create the scanning role
CREATE ROLE orbisid_scanner WITH LOGIN PASSWORD '<strong-password>';

-- Grant access to system catalogue views
-- pg_roles and pg_auth_members are readable by any role with LOGIN by default.
-- No additional grants are required for basic discovery.

The default PostgreSQL permissions allow any authenticated role to read pg_catalog.pg_roles and pg_catalog.pg_auth_members. No superuser privileges are required for discovery.

Credential Mapping

OrbisID FieldPostgreSQL Value
credential.usernamePostgreSQL role name
credential.passwordPostgreSQL password

System Attributes

AttributeRequiredDefaultDescription
pgDatabaseNopostgresDatabase to connect to. Role discovery reads from pg_catalog, which is accessible from any database.
pgSslModeNopreferSSL mode for the JDBC connection. Values: disable, allow, prefer, require, verify-ca, verify-full.

Network Requirements

RequirementDetail
TCP port 5432Must be accessible from the OrbisID server (or On-Premise Agent)
pg_hba.confMust allow the scanning user to connect from the OrbisID server IP using password authentication (md5 or scram-sha-256)

Configuration Steps

  1. Create the orbisid_scanner role in PostgreSQL
  2. Edit pg_hba.conf to allow the scanning role to connect from the OrbisID server:
    host    postgres    orbisid_scanner    <orbisid-ip>/32    scram-sha-256
  3. Run SELECT pg_reload_conf(); or restart PostgreSQL to apply the pg_hba.conf change
  4. Create a Credential in OrbisID:
    • Username: orbisid_scanner
    • Password: The scanning role's password
  5. Navigate to Systems → Add System
  6. Fill in the fields:
FieldValue
NameDescriptive name (e.g., PostgreSQL – prod-db01)
Hostname / IPPostgreSQL host
Port5432 (or custom port)
OS TypePostgreSQL
System TypeInfrastructure
CredentialThe scanning credential
  1. Optionally, in the Connection Attributes section, set Database Name (pgDatabase) and SSL Mode (pgSslMode)
  2. Click Test Connection to verify connectivity and authentication
  3. Click Save
SSL in Production

Use pgSslMode=require or pgSslMode=verify-full in production to encrypt credentials in transit. This requires PostgreSQL to be configured with an SSL certificate.

RDS / Aurora PostgreSQL

For Amazon RDS or Aurora PostgreSQL, set pgSslMode=require and ensure the OrbisID server (or agent) can reach the RDS endpoint on port 5432. The scanning role needs no special RDS permissions beyond standard PostgreSQL catalogue access.

Troubleshooting

SymptomLikely CauseResolution
password authentication failedWrong password or usernameVerify the credential; check the role name matches exactly (case-sensitive)
Connection refusedPort blocked or PostgreSQL not listening on the expected addressCheck listen_addresses in postgresql.conf; verify port 5432 is open
pg_hba.conf: no entryClient IP not allowed in pg_hba.confAdd an entry permitting the OrbisID server IP for the scanning role
database "X" does not existWrong database in pgDatabase attributeSet pgDatabase to an existing database (e.g., postgres)
SSL errorSSL not enabled on the serverSet pgSslMode=disable for testing; enable SSL on PostgreSQL for production
Roles discovered but no membershipsRoles have no membershipsThis is expected if no GRANT role TO role statements have been executed
A superuser login role (e.g. postgres) isn't flagged privilegedFixed in this connector — earlier versions only flagged privilege on group roles, discarding the same computed flag for login rolesUpgrade to the current connector version, which discovers SUPERUSER/CREATEROLE/REPLICATION/BYPASSRLS as privileged entitlements on the login role itself