mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-03-07 19:47:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Improve documentation about CREATEROLE privilege.

Browse Source
This commit is contained in:
Tom Lane 2005-10-13 23:26:00 +00:00
parent 35c8983371
commit 412734767a
2 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/src/sgml/ref/grant.sgml
View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.48 2005/07/26 23:24:02 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.49 2005/10/13 23:26:00 tgl Exp $
PostgreSQL documentation
-->
@ -293,8 +293,12 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
<para>
If <literal>WITH ADMIN OPTION</literal> is specified, the member may
in turn grant membership in the role to others. Without the admin
option, the recipient cannot do that.
in turn grant membership in the role to others, and revoke membership
in the role as well. Without the admin option, ordinary users cannot do
that. However,
database superusers can grant or revoke membership in any role to anyone.
Roles having <literal>CREATEROLE</> privilege can grant or revoke
membership in any role that is not a superuser.
</para>
</refsect2>
</refsect1>

19
doc/src/sgml/user-manag.sgml
View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.30 2005/08/14 23:35:37 tgl Exp $
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.31 2005/10/13 23:26:00 tgl Exp $
-->
<chapter id="user-manag">
@ -203,9 +203,10 @@ CREATE USER <replaceable>name</replaceable>;
checks). To create such a role, use <literal>CREATE ROLE
<replaceable>name</replaceable> CREATEROLE</literal>.
A role with <literal>CREATEROLE</> privilege can alter and drop
other roles, too. However, to alter or drop a superuser role,
superuser status is required; <literal>CREATEROLE</> is not sufficient
for that.
other roles, too, as well as grant or revoke membership in them.
However, to create, alter, drop, or change membership of a
superuser role, superuser status is required;
<literal>CREATEROLE</> is not sufficient for that.
</para>
</listitem>
</varlistentry>
@ -234,6 +235,16 @@ CREATE USER <replaceable>name</replaceable>;
endterm="sql-alterrole-title"> commands for details.
</para>
<tip>
<para>
It is good practice to create a role that has the <literal>CREATEDB</>
and <literal>CREATEROLE</> privileges, but is not a superuser, and then
use this role for all routine management of databases and roles. This
approach avoids the dangers of operating as a superuser for tasks that
do not really require it.
</para>
</tip>
<para>
A role can also have role-specific defaults for many of the run-time
configuration settings described in <xref