CREATE TABLE is not considered to be an access violation; we have no
concept of read-only access to a whole database, only to individual
tables.
If you want to restrict each user to connect only to his own database,
there's an option for that in pg_hba.conf:
# host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database with
# the same user name.
If that's not flexible enough for you, allowing a particular subset of
users to connect to a particular database is possible but tedious.
One way is to set up a separate password file for each such DB, and use
password authentication that specifies the alternate password file ---
ie, a separate pg_hba.conf line for each such DB, with the allowed users
listed in a separate file per DB. Another way is to use ident
authentication, specifying a separate "ident map name" for each DB,
and listing the allowed users for each DB under that map name.
This could stand to be improved; there's no comparable facility for
Kerberos auth methods.
regards, tom lane