The catalog pg_authid contains information about database authorization identifiers (roles). A role subsumes the concepts of "users" and "groups". A user is essentially just a role with the rolcanlogin flag set. Any role (with or without rolcanlogin) can have other roles as members; see pg_auth_members.
Since this catalog contains passwords, it must not be publicly readable. pg_roles is a publicly readable view on pg_authid that blanks out the password field.
Chapter 20 contains detailed information about user and privilege management.
Because user identities are cluster-wide, pg_authid is shared across all databases of a cluster: there is only one copy of pg_authid per cluster, not one per database.
Table 44-8. pg_authid Columns
|rolsuper||bool||Role has superuser privileges|
|rolinherit||bool||Role automatically inherits privileges of roles it is a member of|
|rolcreaterole||bool||Role can create more roles|
|rolcreatedb||bool||Role can create databases|
|rolcatupdate||bool||Role can update system catalogs directly. (Even a superuser cannot do this unless this column is true)|
|rolcanlogin||bool||Role can log in. That is, this role can be given as the initial session authorization identifier|
|rolconnlimit||int4||For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit|
|rolpassword||text||Password (possibly encrypted); NULL if none|
|rolvaliduntil||timestamptz||Password expiry time (only used for password authentication); NULL if no expiration|
|rolconfig||text||Session defaults for run-time configuration variables|