database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-25 21:42:33 +03:00
Code

Improve documentation about CREATEROLE privilege.

Browse Source
This commit is contained in:
Tom Lane 2005-10-13 23:26:00 +00:00
parent 35c8983371
commit 412734767a
2 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/src/sgml/ref/grant.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.48 2005/07/26 23:24:02 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.49 2005/10/13 23:26:00 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
@ -293,8 +293,12 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
<para> <para>
If <literal>WITH ADMIN OPTION</literal> is specified, the member may If <literal>WITH ADMIN OPTION</literal> is specified, the member may
in turn grant membership in the role to others. Without the admin in turn grant membership in the role to others, and revoke membership
option, the recipient cannot do that. in the role as well. Without the admin option, ordinary users cannot do
that. However,
database superusers can grant or revoke membership in any role to anyone.
Roles having <literal>CREATEROLE</> privilege can grant or revoke
membership in any role that is not a superuser.
</para> </para>
</refsect2> </refsect2>
</refsect1> </refsect1>

19
doc/src/sgml/user-manag.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.30 2005/08/14 23:35:37 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.31 2005/10/13 23:26:00 tgl Exp $
--> -->
<chapter id="user-manag"> <chapter id="user-manag">
@ -203,9 +203,10 @@ CREATE USER <replaceable>name</replaceable>;
checks). To create such a role, use <literal>CREATE ROLE checks). To create such a role, use <literal>CREATE ROLE
<replaceable>name</replaceable> CREATEROLE</literal>. <replaceable>name</replaceable> CREATEROLE</literal>.
A role with <literal>CREATEROLE</> privilege can alter and drop A role with <literal>CREATEROLE</> privilege can alter and drop
other roles, too. However, to alter or drop a superuser role, other roles, too, as well as grant or revoke membership in them.
superuser status is required; <literal>CREATEROLE</> is not sufficient However, to create, alter, drop, or change membership of a
for that. superuser role, superuser status is required;
<literal>CREATEROLE</> is not sufficient for that.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -234,6 +235,16 @@ CREATE USER <replaceable>name</replaceable>;
endterm="sql-alterrole-title"> commands for details. endterm="sql-alterrole-title"> commands for details.
</para> </para>
<tip>
<para>
It is good practice to create a role that has the <literal>CREATEDB</>
and <literal>CREATEROLE</> privileges, but is not a superuser, and then
use this role for all routine management of databases and roles. This
approach avoids the dangers of operating as a superuser for tasks that
do not really require it.
</para>
</tip>
<para> <para>
A role can also have role-specific defaults for many of the run-time A role can also have role-specific defaults for many of the run-time
configuration settings described in <xref configuration settings described in <xref