Fabien COELHO <coelho@cri.ensmp.fr> writes:
>> Right, this can be done now.
> There is the namespace collision issue, and although I might grant a
> student the privilege to create simple roles, I would not allow them to
> create new users for a basic practice;-)
Why not? With the setup Stephen suggests, they could create only new
users that could only get into their own database (since they'd not be
able to grant connect rights to other databases).
We probably need to think a bit harder about the meaning of CREATEROLE
though. Right now it gives free license not only to create roles but
to alter any property of existing roles. This seems appropriate if you
think of it as a "safer form of superuser", which is how I was thinking
of it. It would be too powerful for Fabien's situation though.
regards, tom lane