Skip to main content
Glama
deenesjakoruzh
HenkDz

PostgreSQL MCP Server

by HenkDz
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

pg_manage_users

Create, modify, or remove PostgreSQL database users and manage their permissions on tables, schemas, and other database objects.

Instructions

Manage PostgreSQL users and permissions - create, drop, alter users, grant/revoke permissions. Examples: operation="create" with username="testuser", operation="grant" with username, permissions, target, targetType

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
connectionStringNoPostgreSQL connection string (optional)
operationYesOperation: create (new user), drop (remove user), alter (modify user), grant (permissions), revoke (permissions), get_permissions (view permissions), list (all users)
usernameNoUsername (required for create/drop/alter/grant/revoke/get_permissions, optional filter for list)
passwordNoPassword for the user (for create operation)
superuserNoGrant superuser privileges (for create/alter operations)
createdbNoAllow user to create databases (for create/alter operations)
createroleNoAllow user to create roles (for create/alter operations)
loginNoAllow user to login (for create/alter operations)
replicationNoAllow replication privileges (for create/alter operations)
connectionLimitNoMaximum number of connections (for create/alter operations)
validUntilNoPassword expiration date YYYY-MM-DD (for create/alter operations)
inheritNoInherit privileges from parent roles (for create/alter operations)
ifExistsNoInclude IF EXISTS clause (for drop operation)
cascadeNoInclude CASCADE to drop owned objects (for drop/revoke operations)
permissionsNoPermissions to grant/revoke: ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", "ALL"]
targetNoTarget object name (for grant/revoke operations)
targetTypeNoType of target object (for grant/revoke operations)
withGrantOptionNoAllow user to grant these permissions to others (for grant operation)
schemaNoFilter by schema (for get_permissions operation)
includeSystemRolesNoInclude system roles (for list operation)

Implementation Reference

  • src/tools/users.ts:586-804 (handler)
    Primary handler implementation for the pg_manage_users tool. Defines the tool object with name, description, input schema, and execute function that routes to specific user management operations (create, drop, alter, grant, revoke permissions, list users).
    export const manageUsersTool: PostgresTool = {
  name: 'pg_manage_users',
  description: 'Manage PostgreSQL users and permissions - create, drop, alter users, grant/revoke permissions. Examples: operation="create" with username="testuser", operation="grant" with username, permissions, target, targetType',
  inputSchema: z.object({
    connectionString: z.string().optional().describe('PostgreSQL connection string (optional)'),
    operation: z.enum(['create', 'drop', 'alter', 'grant', 'revoke', 'get_permissions', 'list']).describe('Operation: create (new user), drop (remove user), alter (modify user), grant (permissions), revoke (permissions), get_permissions (view permissions), list (all users)'),
    
    // Common parameters
    username: z.string().optional().describe('Username (required for create/drop/alter/grant/revoke/get_permissions, optional filter for list)'),
    
    // Create user parameters
    password: z.string().optional().describe('Password for the user (for create operation)'),
    superuser: z.boolean().optional().describe('Grant superuser privileges (for create/alter operations)'),
    createdb: z.boolean().optional().describe('Allow user to create databases (for create/alter operations)'),
    createrole: z.boolean().optional().describe('Allow user to create roles (for create/alter operations)'),
    login: z.boolean().optional().describe('Allow user to login (for create/alter operations)'),
    replication: z.boolean().optional().describe('Allow replication privileges (for create/alter operations)'),
    connectionLimit: z.number().optional().describe('Maximum number of connections (for create/alter operations)'),
    validUntil: z.string().optional().describe('Password expiration date YYYY-MM-DD (for create/alter operations)'),
    inherit: z.boolean().optional().describe('Inherit privileges from parent roles (for create/alter operations)'),
    
    // Drop user parameters
    ifExists: z.boolean().optional().describe('Include IF EXISTS clause (for drop operation)'),
    cascade: z.boolean().optional().describe('Include CASCADE to drop owned objects (for drop/revoke operations)'),
    
    // Permission parameters  
    permissions: z.array(z.enum(['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL'])).optional().describe('Permissions to grant/revoke: ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", "ALL"]'),
    target: z.string().optional().describe('Target object name (for grant/revoke operations)'),
    targetType: z.enum(['table', 'schema', 'database', 'sequence', 'function']).optional().describe('Type of target object (for grant/revoke operations)'),
    withGrantOption: z.boolean().optional().describe('Allow user to grant these permissions to others (for grant operation)'),
    
    // Get permissions parameters
    schema: z.string().optional().describe('Filter by schema (for get_permissions operation)'),
    
    // List users parameters
    includeSystemRoles: z.boolean().optional().describe('Include system roles (for list operation)')
  }),
  // biome-ignore lint/suspicious/noExplicitAny: <explanation>
  execute: async (args: any, getConnectionStringVal: GetConnectionStringFn): Promise<ToolOutput> => {
    const { 
      connectionString: connStringArg,
      operation,
      username,
      password,
      superuser,
      createdb,
      createrole,
      login,
      replication,
      connectionLimit,
      validUntil,
      inherit,
      ifExists,
      cascade,
      permissions,
      target,
      targetType,
      withGrantOption,
      schema,
      includeSystemRoles
    } = args as {
      connectionString?: string;
      operation: 'create' | 'drop' | 'alter' | 'grant' | 'revoke' | 'get_permissions' | 'list';
      username?: string;
      password?: string;
      superuser?: boolean;
      createdb?: boolean;
      createrole?: boolean;
      login?: boolean;
      replication?: boolean;
      connectionLimit?: number;
      validUntil?: string;
      inherit?: boolean;
      ifExists?: boolean;
      cascade?: boolean;
      permissions?: string[];
      target?: string;
      targetType?: 'table' | 'schema' | 'database' | 'sequence' | 'function';
      withGrantOption?: boolean;
      schema?: string;
      includeSystemRoles?: boolean;
    };

    try {
      switch (operation) {
        case 'create': {
          if (!username) {
            return { 
              content: [{ type: 'text', text: 'Error: username is required for create operation' }], 
              isError: true 
            };
          }
          const result = await executeCreateUser({
            connectionString: connStringArg,
            username,
            password,
            superuser: superuser ?? false,
            createdb: createdb ?? false,
            createrole: createrole ?? false,
            login: login ?? true,
            replication: replication ?? false,
            connectionLimit,
            validUntil,
            inherit: inherit ?? true
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: `User ${result.username} created successfully. Details: ${JSON.stringify(result)}` }] };
        }

        case 'drop': {
          if (!username) {
            return { 
              content: [{ type: 'text', text: 'Error: username is required for drop operation' }], 
              isError: true 
            };
          }
          const result = await executeDropUser({
            connectionString: connStringArg,
            username,
            ifExists: ifExists ?? true,
            cascade: cascade ?? false
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: `User ${result.username} dropped successfully. Details: ${JSON.stringify(result)}` }] };
        }

        case 'alter': {
          if (!username) {
            return { 
              content: [{ type: 'text', text: 'Error: username is required for alter operation' }], 
              isError: true 
            };
          }
          const result = await executeAlterUser({
            connectionString: connStringArg,
            username,
            password,
            superuser,
            createdb,
            createrole,
            login,
            replication,
            connectionLimit,
            validUntil,
            inherit
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: `User ${result.username} altered successfully. Changes: ${result.changes.join(', ')}. Details: ${JSON.stringify(result)}` }] };
        }

        case 'grant': {
          if (!username || !permissions || !target || !targetType) {
            return { 
              content: [{ type: 'text', text: 'Error: username, permissions, target, and targetType are required for grant operation' }], 
              isError: true 
            };
          }
          const result = await executeGrantPermissions({
            connectionString: connStringArg,
            username,
            permissions: permissions as ('SELECT' | 'INSERT' | 'UPDATE' | 'DELETE' | 'TRUNCATE' | 'REFERENCES' | 'TRIGGER' | 'ALL')[],
            target,
            targetType,
            withGrantOption: withGrantOption ?? false,
            schema: schema ?? 'public'
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: `Permissions granted to ${result.username} on ${result.target}. Details: ${JSON.stringify(result)}` }] };
        }

        case 'revoke': {
          if (!username || !permissions || !target || !targetType) {
            return { 
              content: [{ type: 'text', text: 'Error: username, permissions, target, and targetType are required for revoke operation' }], 
              isError: true 
            };
          }
          const result = await executeRevokePermissions({
            connectionString: connStringArg,
            username,
            permissions: permissions as ('SELECT' | 'INSERT' | 'UPDATE' | 'DELETE' | 'TRUNCATE' | 'REFERENCES' | 'TRIGGER' | 'ALL')[],
            target,
            targetType,
            cascade: cascade ?? false,
            schema: schema ?? 'public'
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: `Permissions revoked from ${result.username} on ${result.target}. Details: ${JSON.stringify(result)}` }] };
        }

        case 'get_permissions': {
          const result = await executeGetUserPermissions({
            connectionString: connStringArg,
            username,
            schema,
            targetType
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
        }

        case 'list': {
          const result = await executeListUsers({
            connectionString: connStringArg,
            includeSystemRoles: includeSystemRoles ?? false
          }, getConnectionStringVal);
          return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
        }

        default:
          return { 
            content: [{ type: 'text', text: `Error: Unknown operation "${operation}". Supported operations: create, drop, alter, grant, revoke, get_permissions, list` }], 
            isError: true 
          };
      }

    } catch (error) {
      const errorMessage = error instanceof McpError ? error.message : (error instanceof Error ? error.message : String(error));
      return { 
        content: [{ type: 'text', text: `Error executing ${operation} operation: ${errorMessage}` }], 
        isError: true 
      };
    }
  }
};
  • src/tools/users.ts:589-622 (schema)
    Zod input schema defining parameters for pg_manage_users tool, including operation type and all user management options.
    inputSchema: z.object({
  connectionString: z.string().optional().describe('PostgreSQL connection string (optional)'),
  operation: z.enum(['create', 'drop', 'alter', 'grant', 'revoke', 'get_permissions', 'list']).describe('Operation: create (new user), drop (remove user), alter (modify user), grant (permissions), revoke (permissions), get_permissions (view permissions), list (all users)'),
  
  // Common parameters
  username: z.string().optional().describe('Username (required for create/drop/alter/grant/revoke/get_permissions, optional filter for list)'),
  
  // Create user parameters
  password: z.string().optional().describe('Password for the user (for create operation)'),
  superuser: z.boolean().optional().describe('Grant superuser privileges (for create/alter operations)'),
  createdb: z.boolean().optional().describe('Allow user to create databases (for create/alter operations)'),
  createrole: z.boolean().optional().describe('Allow user to create roles (for create/alter operations)'),
  login: z.boolean().optional().describe('Allow user to login (for create/alter operations)'),
  replication: z.boolean().optional().describe('Allow replication privileges (for create/alter operations)'),
  connectionLimit: z.number().optional().describe('Maximum number of connections (for create/alter operations)'),
  validUntil: z.string().optional().describe('Password expiration date YYYY-MM-DD (for create/alter operations)'),
  inherit: z.boolean().optional().describe('Inherit privileges from parent roles (for create/alter operations)'),
  
  // Drop user parameters
  ifExists: z.boolean().optional().describe('Include IF EXISTS clause (for drop operation)'),
  cascade: z.boolean().optional().describe('Include CASCADE to drop owned objects (for drop/revoke operations)'),
  
  // Permission parameters  
  permissions: z.array(z.enum(['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL'])).optional().describe('Permissions to grant/revoke: ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", "ALL"]'),
  target: z.string().optional().describe('Target object name (for grant/revoke operations)'),
  targetType: z.enum(['table', 'schema', 'database', 'sequence', 'function']).optional().describe('Type of target object (for grant/revoke operations)'),
  withGrantOption: z.boolean().optional().describe('Allow user to grant these permissions to others (for grant operation)'),
  
  // Get permissions parameters
  schema: z.string().optional().describe('Filter by schema (for get_permissions operation)'),
  
  // List users parameters
  includeSystemRoles: z.boolean().optional().describe('Include system roles (for list operation)')
}),
  • src/index.ts:225-257 (registration)
    Registration of manageUsersTool (pg_manage_users) in the central allTools array used to initialize the MCP server's available tools list.
    const allTools: PostgresTool[] = [
  // Core Analysis & Debugging
  analyzeDatabaseTool,
  debugDatabaseTool,
  
  // Schema & Structure Management (Meta-Tools)
  manageSchemaTools,
  manageFunctionsTool,
  manageTriggersTools,
  manageIndexesTool,
  manageConstraintsTool,
  manageRLSTool,
  
  // User & Security Management
  manageUsersTool,
  
  // Query & Performance Management
  manageQueryTool,
  
  // Data Operations (Enhancement Tools)
  executeQueryTool,
  executeMutationTool,
  executeSqlTool,
  
  // Documentation & Metadata
  manageCommentsTool,
  
  // Data Migration & Monitoring
  exportTableDataTool,
  importTableDataTool,
  copyBetweenDatabasesTool,
  monitorDatabaseTool
];
  • src/index.ts:28-28 (registration)
    Import of the manageUsersTool from users.ts for registration in the MCP server.
    import { manageUsersTool } from './tools/users.js';
  • src/tools/users.ts:45-89 (helper)
    Helper function for creating a new PostgreSQL user, called by the main handler for 'create' operation.
    async function executeCreateUser(
  input: CreateUserInput,
  getConnectionString: GetConnectionStringFn
): Promise<{ username: string; created: true }> {
  const resolvedConnectionString = getConnectionString(input.connectionString);
  const db = DatabaseConnection.getInstance();
  const { 
    username, 
    password, 
    superuser, 
    createdb, 
    createrole, 
    login, 
    replication, 
    connectionLimit, 
    validUntil,
    inherit 
  } = input;

  try {
    await db.connect(resolvedConnectionString);
    
    const options = [];
    
    if (password) options.push(`PASSWORD '${password.replace(/'/g, "''")}'`);
    if (superuser) options.push('SUPERUSER');
    if (createdb) options.push('CREATEDB');
    if (createrole) options.push('CREATEROLE');
    if (login) options.push('LOGIN');
    if (replication) options.push('REPLICATION');
    if (!inherit) options.push('NOINHERIT');
    if (connectionLimit !== undefined) options.push(`CONNECTION LIMIT ${connectionLimit}`);
    if (validUntil) options.push(`VALID UNTIL '${validUntil}'`);
    
    const createUserSQL = `CREATE USER "${username}"${options.length > 0 ? ` ${options.join(' ')}` : ''}`;
    
    await db.query(createUserSQL);
    
    return { username, created: true };
  } catch (error) {
    throw new McpError(ErrorCode.InternalError, `Failed to create user: ${error instanceof Error ? error.message : String(error)}`);
  } finally {
    await db.disconnect();
  }
}

Tool Definition Quality

B3.3/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure but offers minimal information. It mentions operations like 'create' and 'drop' which imply mutations, but doesn't clarify critical behaviors such as authentication requirements, whether operations are reversible, potential side effects (e.g., cascade deletions), or error handling. For a complex tool with 20 parameters and no annotations, this is a significant gap.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is appropriately sized and front-loaded, starting with the core purpose and immediately providing concrete examples. The two sentences are efficient with zero waste, though it could be slightly more structured by separating purpose from examples. Every sentence earns its place by clarifying the tool's scope.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's high complexity (20 parameters, multiple operations including destructive ones like 'drop'), lack of annotations, and no output schema, the description is incomplete. It doesn't address behavioral aspects like safety warnings, permission requirements, or expected return formats. For a multi-operation tool with potential destructive actions, more contextual guidance is needed.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already documents all 20 parameters thoroughly. The description adds marginal value by listing example operations ('create', 'grant') and mentioning a few parameters (username, permissions, target, targetType) in examples, but doesn't provide additional semantic context beyond what's in the schema. This meets the baseline for high schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with specific verbs ('manage', 'create', 'drop', 'alter', 'grant/revoke') and resources ('PostgreSQL users and permissions'). It distinguishes itself from sibling tools like pg_execute_query or pg_manage_schema by focusing exclusively on user management operations rather than general queries or schema objects.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides implied usage through examples ('operation="create" with username="testuser"'), but lacks explicit guidance on when to use this tool versus alternatives. It doesn't mention prerequisites (e.g., database connection requirements) or compare with sibling tools like pg_manage_query for permission-related queries, leaving the agent to infer appropriate contexts.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/HenkDz/postgresql-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server