Обсуждение: User Management, drop users
Hi, I felt that this place is more appropriate to ask my question. I already posted at psql-novice, but got no response. Here we go:
Right now, I have the following user management concept:
-) when creating a database, an equally named role is created; every user of this db is in this role, this is to
handle the CONNECT privilege in order to allow these users only to connect to "their" database, and not others
-) a role "owner" and "admin"; the member of these roles have CREATEROLE privilege
The problem: users who are member of "admin" are allowed to drop users from OTHER databases - that's not my
intention. I know that the createrole priv. allows them to drop users, but I want to restrict that to only
their database (which means: users he created)
So my questions:
1) What is your tidy way to administrate users of multiple databases in the postgresql cluster? Any tips?
2) How do you restrict the users of a specific database to touch only the objects in their database?
I'm very interested in the best practices of user management in PostgreSQL. Any help would be appreciated!
s.sporer
Sven Sporer <s.sporer@gmx.net> writes: > 2) How do you restrict the users of a specific database to touch only > the objects in their database? They *are* so restricted. Your problem is that roles are installation-wide, not local to a particular database, and so you cannot enforce the restriction you hope for: CREATEROLE privilege is inherently to do with installation-wide actions. A possible workaround is to ensure that every user owns at least one object in "his" database -- table, function, whatever. Then it's not possible to drop the user without having first gotten into that database. (As of 8.1 or so --- this wasn't enforced before that.) However a user with CREATEROLE can still cause all sorts of mischief with ALTER USER, so preventing only the DROP case probably isn't that helpful. Bottom line is you don't give out that privilege to people you don't trust. If you need better separation among groups of users, give them each their own installation (postmaster). regards, tom lane