> I want to know whether there exist the possibility to create a user who has
> the permission to create users with preset limited permissions.
>
> In detail:
> I do not want that the admin user (a separate limited one for the customer)
> is able to create full admin users or adequate ones.
It's likely possible. There might be a better reference but you might want
to read this: (Look for Tom Lane's post)
http://archives.devshed.com/forums/databases-124/anyone-know-a-good-
opensource-crm-that-actually-installs-with-2217243-2.html
Following his example:
create or replace function makeuser(text, text) returns void as $$
begin execute 'create role ' || quote_ident($1) || ' login password '
|| quote_literal($2) ; end$$ language plpgsql security definer;
then you can
create role a_group;
grant select,insert,update on a_table to a_group with grant option;
alter group a_group add user a_user;
so a_user can now
select makeuser('b_user','b_password');
grant select on a_table to b_user;
There might be a better way though.
If you're on 8.1 and upwards, createrole is not separate from superuser.
But it seemed if a user is given createrole, even though he's not given
the superuser, s/he can drop other users (who s/he didn't create.) So
alter user...createuser may not fit here. Please correct me if I'm wrong.
HTH
Ben K.
Developer
http://benix.tamu.edu