Re: Delegating User creation

From: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>

> merlyn(at)stonehenge(dot)com (Randal L. Schwartz) writes:
> > Couldn't you create an INSERT rule on pg_password for the
> > junior-superuser that narrowed the created users to only sensible
> > permissions?
>
> Obviously, if we invented a "create users" permission, it would have to
> extend only to creating non-superuser users; you'd only want superusers
> to be able to make more superusers.
>
> But that's not really the point IMHO. As I understood the question,
> it was about being able to delegate the right to create users *for
> particular databases*. That can't be delegated because it doesn't
> exist --- we have no concept of users restricted to only some databases
> within an installation. (You can sort of fake it by restricting their
> ability to connect in pg_hba.conf, but that's a pretty ugly approach,
> and certainly not one that's available to anyone but the dbadmin.)

Could you not do it with groups?

All objects in database "foo" are only accessible to users in "foo_group".
Operations on the user tables are only permitted against users who are in
"foo_group" (via Randal's use of rules/triggers).

Any user could connect to any database, but wouldn't have access to the
tables.

- Richard Huxton