>>>>> "Tom" == Tom Lane <tgl@sss.pgh.pa.us> writes:
Tom> Tom Jenkins <tjenkins@devis.com> writes:
>> However it looks like to give those folks user creation rights, they
>> would become super users and be able to access other departments'
>> databases. Is there a way for a user to get user creation rights only
>> for their database and not get superuser rights across all databases?
Tom> Not at the moment --- there isn't a "create user" right that is separate
Tom> from superuserness. Since users are global to the whole database
Tom> installation, it's not as simple as allowing owners of individual
Tom> databases to create users for their databases; they'd be implicitly
Tom> creating users who might be able to access other databases as well.
Tom> My suggestion if you want compartmentalized user creation is to set up a
Tom> separate postmaster (not only a separate database) for each department.
Tom> Then you can give people superuserness that extends no further than
Tom> their own database. BTW, you might want to turn off pg_shadow.usecatupd
Tom> for these people, to limit their ability to shoot themselves in the
Tom> foot.
Couldn't you create an INSERT rule on pg_password for the
junior-superuser that narrowed the created users to only sensible
permissions? Of course, you'd have to use SQL on the table rather
than nice "CREATE USER" commands instead, but that seems like it would
work.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!