Skip to content

Commit 4127347

Browse files
tglsfdctglsfdc
committed
Improve documentation about CREATEROLE privilege.
1 parent 35c8983 commit 4127347

File tree

2 files changed

+22
-7
lines changed

2 files changed

+22
-7
lines changed

doc/src/sgml/ref/grant.sgml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.48 2005/07/26 23:24:02 tgl Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.49 2005/10/13 23:26:00 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -293,8 +293,12 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
293293

294294
<para>
295295
If <literal>WITH ADMIN OPTION</literal> is specified, the member may
296-
in turn grant membership in the role to others. Without the admin
297-
option, the recipient cannot do that.
296+
in turn grant membership in the role to others, and revoke membership
297+
in the role as well. Without the admin option, ordinary users cannot do
298+
that. However,
299+
database superusers can grant or revoke membership in any role to anyone.
300+
Roles having <literal>CREATEROLE</> privilege can grant or revoke
301+
membership in any role that is not a superuser.
298302
</para>
299303
</refsect2>
300304
</refsect1>

doc/src/sgml/user-manag.sgml

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.30 2005/08/14 23:35:37 tgl Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.31 2005/10/13 23:26:00 tgl Exp $
33
-->
44

55
<chapter id="user-manag">
@@ -203,9 +203,10 @@ CREATE USER <replaceable>name</replaceable>;
203203
checks). To create such a role, use <literal>CREATE ROLE
204204
<replaceable>name</replaceable> CREATEROLE</literal>.
205205
A role with <literal>CREATEROLE</> privilege can alter and drop
206-
other roles, too. However, to alter or drop a superuser role,
207-
superuser status is required; <literal>CREATEROLE</> is not sufficient
208-
for that.
206+
other roles, too, as well as grant or revoke membership in them.
207+
However, to create, alter, drop, or change membership of a
208+
superuser role, superuser status is required;
209+
<literal>CREATEROLE</> is not sufficient for that.
209210
</para>
210211
</listitem>
211212
</varlistentry>
@@ -234,6 +235,16 @@ CREATE USER <replaceable>name</replaceable>;
234235
endterm="sql-alterrole-title"> commands for details.
235236
</para>
236237

238+
<tip>
239+
<para>
240+
It is good practice to create a role that has the <literal>CREATEDB</>
241+
and <literal>CREATEROLE</> privileges, but is not a superuser, and then
242+
use this role for all routine management of databases and roles. This
243+
approach avoids the dangers of operating as a superuser for tasks that
244+
do not really require it.
245+
</para>
246+
</tip>
247+
237248
<para>
238249
A role can also have role-specific defaults for many of the run-time
239250
configuration settings described in <xref

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy