Hi Ben!
Thanks for your answer! It hits the spot.
Peter
Am 17.08.2007 um 19:28 schrieb Ben Kim:
I want to know whether there exist the possibility to create a
user who has the permission to create users with preset limited
permissions.
In detail:
I do not want that the admin user (a separate limited one for the
customer) is able to create full admin users or adequate ones.
It's likely possible. There might be a better reference but you
might want to read this: (Look for Tom Lane's post)
http://archives.devshed.com/forums/databases-124/anyone-know-a-
good- opensource-crm-that-actually-installs-with-2217243-2.html
Following his example:
create or replace function makeuser(text, text) returns void as $$
begin execute 'create role ' || quote_ident($1) || ' login
password '
|| quote_literal($2) ; end$$ language plpgsql security definer;
then you can
create role a_group;
grant select,insert,update on a_table to a_group with grant option;
alter group a_group add user a_user;
so a_user can now
select makeuser('b_user','b_password');
grant select on a_table to b_user;
There might be a better way though.
If you're on 8.1 and upwards, createrole is not separate from
superuser. But it seemed if a user is given createrole, even though
he's not given the superuser, s/he can drop other users (who s/he
didn't create.) So alter user...createuser may not fit here. Please
correct me if I'm wrong.
HTH
Ben K.
Developer
http://benix.tamu.edu
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
