Create roles with CREATE ROLE and grant specific permissions with GRANT. Each app should have its own role with only the permissions it needs. Use pg_hba.conf to control how clients authenticate to the database.
Access Control
CREATE ROLE readonly;
GRANT CONNECT ON DATABASE shop TO readonly;
GRANT USAGE ON SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
CREATE USER alice WITH PASSWORD 'secret';
GRANT readonly TO alice;
-- Remove access
REVOKE SELECT ON users FROM readonly;