permission denied to create role — SQLSTATE 42501 | PostgreSQL Error Reference | The Sev-1 Database

Error reference: 578 indexed

GUC reference: 88 parameters

Cookbook: 224 recipes

Ask anything about database operations, errors, or optimization.

Browse error reference Config parameters (GUCs) Glossary Open runbook cookbook Learning pathways

SQLSTATE 42501 ERROR Class 42: Syntax Error or Access Rule Violation

`insufficient_privilege` permission denied to create role — 42501

PostgreSQL error "permission denied to create role" (SQLSTATE 42501): what it means, common causes, and how to fix it.

PG 12, 13, 14, 15, 16, 17, 18 Official docs

Last reviewed May 2025 Grounded in source

Diagnostic Queries

Symptoms

A role attempted CREATE ROLE/CREATE USER without the CREATEROLE privilege. PostgreSQL raises SQLSTATE 42501 (insufficient_privilege).

The role lacks CREATEROLE (and is not a superuser).
Common for least-privilege application roles.
Role administration is a privileged operation.

What the server log shows

ERROR:  permission denied to create role

Why PostgreSQL raises this — what the manual says

Section 21.2 Role Attributes:

“A role must be explicitly given permission to create more roles (except for superusers, since those bypass all permission checks).”

Creating roles requires the CREATEROLE attribute or superuser status. Without it, PostgreSQL blocks the command with 42501.

Common causes

The current role does not have CREATEROLE.
Provisioning users from a least-privilege account.
Expecting superuser behaviour from an ordinary role.

How to fix it

Grant the attribute: ALTER ROLE admin CREATEROLE; (by a superuser).
Run role management as a role with CREATEROLE or superuser.
Delegate role creation to an appropriate admin account.

Related & next steps

Reference: PostgreSQL 18 Section 22.2 “Role Attributes”.

Was this helpful?