Re: adding a user with the permission to create trimmed users

Hi Ben!

Thanks for your answer! It hits the spot.


Peter

Am 17.08.2007 um 19:28 schrieb Ben Kim:

>> I want to know whether there exist the possibility to create a
>> user who has the permission to create users with preset limited
>> permissions.
>>
>> In detail:
>> I do not want that the admin user (a separate limited one for the
>> customer) is able to create full admin users or adequate ones.
>
> It's likely possible. There might be a better reference but you
> might want to read this: (Look for Tom Lane's post)
>
> http://archives.devshed.com/forums/databases-124/anyone-know-a-
> good- opensource-crm-that-actually-installs-with-2217243-2.html
>
> Following his example:
>
>     create or replace function makeuser(text, text) returns void as $$
>     begin  execute 'create role ' || quote_ident($1) || ' login
> password '
>     || quote_literal($2) ; end$$ language plpgsql security definer;
>
> then you can
>
>      create role a_group;
>      grant select,insert,update on a_table to a_group with grant option;
>      alter group a_group add user a_user;
>
> so a_user can now
>
>         select makeuser('b_user','b_password');
>         grant select on a_table to b_user;
>
>
> There might be a better way though.
>
> If you're on 8.1 and upwards, createrole is not separate from
> superuser. But it seemed if a user is given createrole, even though
> he's not given the superuser, s/he can drop other users (who s/he
> didn't create.) So alter user...createuser may not fit here. Please
> correct me if I'm wrong.
>
>
> HTH
>
>
> Ben K.
> Developer
> http://benix.tamu.edu