Skip to content

Commit 4127347

Browse files
tglsfdctglsfdc
committed
Improve documentation about CREATEROLE privilege.
1 parent 35c8983 commit 4127347

File tree

2 files changed

+22
-7
lines changed

2 files changed

+22
-7
lines changed

doc/src/sgml/ref/grant.sgml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.48 2005/07/26 23:24:02 tgl Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.49 2005/10/13 23:26:00 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -293,8 +293,12 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
293293

294294
<para>
295295
If <literal>WITH ADMIN OPTION</literal> is specified, the member may
296-
in turn grant membership in the role to others. Without the admin
297-
option, the recipient cannot do that.
296+
in turn grant membership in the role to others, and revoke membership
297+
in the role as well. Without the admin option, ordinary users cannot do
298+
that. However,
299+
database superusers can grant or revoke membership in any role to anyone.
300+
Roles having <literal>CREATEROLE</> privilege can grant or revoke
301+
membership in any role that is not a superuser.
298302
</para>
299303
</refsect2>
300304
</refsect1>

doc/src/sgml/user-manag.sgml

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.30 2005/08/14 23:35:37 tgl Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.31 2005/10/13 23:26:00 tgl Exp $
33
-->
44

55
<chapter id="user-manag">
@@ -203,9 +203,10 @@ CREATE USER <replaceable>name</replaceable>;
203203
checks). To create such a role, use <literal>CREATE ROLE
204204
<replaceable>name</replaceable> CREATEROLE</literal>.
205205
A role with <literal>CREATEROLE</> privilege can alter and drop
206-
other roles, too. However, to alter or drop a superuser role,
207-
superuser status is required; <literal>CREATEROLE</> is not sufficient
208-
for that.
206+
other roles, too, as well as grant or revoke membership in them.
207+
However, to create, alter, drop, or change membership of a
208+
superuser role, superuser status is required;
209+
<literal>CREATEROLE</> is not sufficient for that.
209210
</para>
210211
</listitem>
211212
</varlistentry>
@@ -234,6 +235,16 @@ CREATE USER <replaceable>name</replaceable>;
234235
endterm="sql-alterrole-title"> commands for details.
235236
</para>
236237

238+
<tip>
239+
<para>
240+
It is good practice to create a role that has the <literal>CREATEDB</>
241+
and <literal>CREATEROLE</> privileges, but is not a superuser, and then
242+
use this role for all routine management of databases and roles. This
243+
approach avoids the dangers of operating as a superuser for tasks that
244+
do not really require it.
245+
</para>
246+
</tip>
247+
237248
<para>
238249
A role can also have role-specific defaults for many of the run-time
239250
configuration settings described in <xref

0 commit comments

Comments
 (0)