Re: [PATCHES] Users/Groups -> Roles

* Bruce Momjian (pgman(at)candle(dot)pha(dot)pa(dot)us) wrote:
> Thanks, TODO updated. We still support CREATE GROUP? It translates to
> roles?

Yes, CREATE USER too.

Stephen

> Tom Lane wrote:
> > Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > > Stupid question, but how do roles relate to our existing "groups"?
> >
> > As committed, roles subsume both users and groups: a role that permits
> > login (rolcanlogin) acts as a user, and a role that has members is a
> > group. It is possible for the same role to do both things, though I'm
> > not sure that it's good security policy to set up a role that way.
> >
> > The advantage over what we had is exactly that there isn't any
> > distinction, and thus groups can do everything users can and
> > vice versa:
> > * groups can own objects
> > * groups can contain other groups (we forbid loops though)
> >
> > Also there is a notion of "admin option" for groups, which is like
> > "grant option" for privileges: you can designate certain members of
> > a group as being able to grant ownership in that group to others,
> > without having to make them superusers.
> >
> > regards, tom lane
> >
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
> + If your life is a hard drive, | 13 Roberts Road
> + Christ can be your backup. | Newtown Square, Pennsylvania 19073