Re: Delegating User creation

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Tom Jenkins <tjenkins(at)devis(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Delegating User creation
Date: 2001-07-20 21:23:02
Message-ID: 5101.995664182@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Tom Jenkins <tjenkins(at)devis(dot)com> writes:
> However it looks like to give those folks user creation rights, they
> would become super users and be able to access other departments'
> databases. Is there a way for a user to get user creation rights only
> for their database and not get superuser rights across all databases?

Not at the moment --- there isn't a "create user" right that is separate
from superuserness. Since users are global to the whole database
installation, it's not as simple as allowing owners of individual
databases to create users for their databases; they'd be implicitly
creating users who might be able to access other databases as well.

My suggestion if you want compartmentalized user creation is to set up a
separate postmaster (not only a separate database) for each department.
Then you can give people superuserness that extends no further than
their own database. BTW, you might want to turn off pg_shadow.usecatupd
for these people, to limit their ability to shoot themselves in the
foot.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Randal L. Schwartz 2001-07-20 21:53:22 Re: Delegating User creation
Previous Message Tom Lane 2001-07-20 21:14:44 Re: RPM source files should be in CVS (was Re: psql -l)