Re: Users and object privileges maintenance

On 2/18/24 02:12, Dominique Devienne wrote:
> On Sat, Feb 17, 2024 at 10:50 PM Lok P <loknath(dot)73(at)gmail(dot)com
> <mailto:loknath(dot)73(at)gmail(dot)com>> wrote:
>
> We were having past experience in Oracle and are newly getting moved
> to postgres database. [...]
> So I just wanted to understand if these grants and privileges for
> objects/users are given and maintained in a similar way in postgres
> database
>
>
> Yes they are. Having done that move from Oracle to PostgreSQL, here are
> a few pointers.
>

More information on a couple of points I have found trips people up on
occasion.

>
> "DBAs" in PostgreSQL are ROLEs with the SUPERUSER privilege. (e.g. the
> built-in postgres ROLE)

This is a convention not a rule. More specifically it is the name of the
OS user that runs initdb. It can be overridden by using -U <some_name)
with initdb. I bring it up because this causes confusion, in particular
with the folks using the Homebrew and Postgres.app packages found here:

https://www.postgresql.org/download/macosx/

In those cases the default superuser generally is the name of the OS
user that downloaded and installed the package.

>
> USERs are ROLEs with the LOGIN privilege.

Again a convention not a rule. This harks back to the days(v 8.0-) when
Postgres had groups and users.

Per

https://www.postgresql.org/docs/current/sql-createuser.html

"CREATE USER is now an alias for CREATE ROLE. The only difference is
that when the command is spelled CREATE USER, LOGIN is assumed by
default, whereas NOLOGIN is assumed when the command is spelled CREATE
ROLE."

It is entirely possible to CREATE USER ... WITH NOLOGIN ...

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com