role “…” is not permitted to log in

SQLSTATE 28000 condition invalid_authorization_specification class 28 — Invalid Authorization Specification severity FATAL

Reproduced & verified on PostgreSQL 14.23, 15.18, 16.14, 17.10 and 18.4 — identical message on every version.

Last reviewed 11 Jun 2026 · Reproduced live with the SQL on this page.

Symptoms

A login attempt used a role that lacks the LOGIN attribute. PostgreSQL raises SQLSTATE 28000 (invalid_authorization_specification).

The role exists but has NOLOGIN.
Common with group roles used as login roles.
Only LOGIN roles can start sessions.

What the server log shows

FATAL:  role "readers" is not permitted to log in

Why PostgreSQL raises this — what the manual says

Section 21.2 Role Attributes:

“Only roles that have the LOGIN attribute can be used as the initial role name for a database connection.”

PostgreSQL distinguishes login roles (users) from group roles. A role without the LOGIN attribute cannot begin a session, so connecting as one is rejected with 28000.

Common causes

Connecting as a group role created with NOLOGIN.
A role’s LOGIN attribute was removed.
Confusing a group role with a user role.

How to fix it

Grant login: ALTER ROLE readers LOGIN; if it should be a user.
Connect as an actual login role that is a member of the group.
Keep group roles NOLOGIN and use separate login users.

Related & next steps

Reference: PostgreSQL 18 Section 22.2 “Role Attributes”.