| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Tom Jenkins <tjenkins(at)devis(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Delegating User creation |
| Date: | 2001-07-20 21:23:02 |
| Message-ID: | 5101.995664182@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Jenkins <tjenkins(at)devis(dot)com> writes:
> However it looks like to give those folks user creation rights, they
> would become super users and be able to access other departments'
> databases. Is there a way for a user to get user creation rights only
> for their database and not get superuser rights across all databases?
Not at the moment --- there isn't a "create user" right that is separate
from superuserness. Since users are global to the whole database
installation, it's not as simple as allowing owners of individual
databases to create users for their databases; they'd be implicitly
creating users who might be able to access other databases as well.
My suggestion if you want compartmentalized user creation is to set up a
separate postmaster (not only a separate database) for each department.
Then you can give people superuserness that extends no further than
their own database. BTW, you might want to turn off pg_shadow.usecatupd
for these people, to limit their ability to shoot themselves in the
foot.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Randal L. Schwartz | 2001-07-20 21:53:22 | Re: Delegating User creation |
| Previous Message | Tom Lane | 2001-07-20 21:14:44 | Re: RPM source files should be in CVS (was Re: psql -l) |