| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | merlyn(at)stonehenge(dot)com (Randal L(dot) Schwartz) |
| Cc: | Tom Jenkins <tjenkins(at)devis(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Delegating User creation |
| Date: | 2001-07-20 22:10:20 |
| Message-ID: | 5350.995667020@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
merlyn(at)stonehenge(dot)com (Randal L. Schwartz) writes:
> Couldn't you create an INSERT rule on pg_password for the
> junior-superuser that narrowed the created users to only sensible
> permissions?
Obviously, if we invented a "create users" permission, it would have to
extend only to creating non-superuser users; you'd only want superusers
to be able to make more superusers.
But that's not really the point IMHO. As I understood the question,
it was about being able to delegate the right to create users *for
particular databases*. That can't be delegated because it doesn't
exist --- we have no concept of users restricted to only some databases
within an installation. (You can sort of fake it by restricting their
ability to connect in pg_hba.conf, but that's a pretty ugly approach,
and certainly not one that's available to anyone but the dbadmin.)
This should be improved, and probably will be in future. In the
meantime, though, I don't think a "create users" right would by itself
solve Tom's problem.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nate Carlson | 2001-07-20 22:10:57 | Microsoft SQL Server Replication |
| Previous Message | Randal L. Schwartz | 2001-07-20 21:53:22 | Re: Delegating User creation |