insufficient_privilege role “…” is not permitted to log in — 42501

Symptoms

A client tried to connect as a role that lacks the LOGIN attribute (a group role, not a login role). PostgreSQL refuses with SQLSTATE 42501 (insufficient_privilege).

• The role exists but cannot be used to connect.
• Typical when connecting as a group/NOLOGIN role.
• Distinct from a wrong password or missing pg_hba entry.

What the server log shows

FATAL:  role "analysts" is not permitted to log in

Why PostgreSQL raises this — what the manual says

Section 21.2 Role Attributes:

“Only roles that have the LOGIN attribute can be used as the initial role name for a database connection.”

PostgreSQL roles serve as both users and groups. Only roles with the LOGIN attribute may begin a session; connecting as a NOLOGIN role is rejected with 42501.

Common causes

• Connecting as a group/NOLOGIN role.
• A login role was altered to NOLOGIN.
• Confusing a membership role with the actual login user.

How to fix it

1. Connect as a role that has LOGIN, then SET ROLE to the group if needed.
2. Grant login: ALTER ROLE analysts LOGIN; (only if it should be a login role).
3. Check the attribute: SELECT rolcanlogin FROM pg_roles WHERE rolname='analysts';.

Related & next steps

• SQLSTATE 42501 — Insufficient Privilege (full reference)
• Message: role does not exist
• Glossary: Role

Reference: PostgreSQL 18 Section 22.2 “Role Attributes”.