Results 1 to 3 of 3
  1. #1
    Join Date
    Oct 2010
    Location
    Orlando, FL
    Posts
    311
    Provided Answers: 1

    Question Unanswered: Role Permissions

    I'm confused about having a general group role that I can add individual user roles into. My question is if I have a role called 'it' that I want to place individual users into, do I need to add specific grants to the new user I create or to the specific group role? To clearify, I want everyone in the 'it' role to be able to have LOGIN, CREATEDB, CREATE USER, & CREATE SCHEMA grants. I would do this to the role 'it', right?

    Code:
    postgres=# \dg
                 List of roles
     Role name |  Attributes  | Member of  
    -----------+--------------+------------
     carlos    | Superuser    | {it}
     it        | Cannot login | {}
     jason     | Create role  | {it}
               : Create DB      
     mike	   | Create DB    | {software}
     postgres  | Superuser    | {}
               : Create role    
               : Create DB      
     software  | Cannot login | {}

  2. #2
    Join Date
    Nov 2006
    Posts
    82
    Quote Originally Posted by CarlosinFL View Post
    I'm confused about having a general group role that I can add individual user roles into. My question is if I have a role called 'it' that I want to place individual users into, do I need to add specific grants to the new user I create or to the specific group role? To clearify, I want everyone in the 'it' role to be able to have LOGIN, CREATEDB, CREATE USER, & CREATE SCHEMA grants. I would do this to the role 'it', right?

    Code:
    postgres=# \dg
                 List of roles
     Role name |  Attributes  | Member of  
    -----------+--------------+------------
     carlos    | Superuser    | {it}
     it        | Cannot login | {}
     jason     | Create role  | {it}
               : Create DB      
     mike	   | Create DB    | {software}
     postgres  | Superuser    | {}
               : Create role    
               : Create DB      
     software  | Cannot login | {}
    No, these privileges are not inherited, so even if you have a role with LOGIN, CREATEDB,... privileges members of the group will not inherit these privileges.

  3. #3
    Join Date
    May 2008
    Posts
    277
    Quote Originally Posted by rski View Post
    No, these privileges are not inherited, so even if you have a role with LOGIN, CREATEDB,... privileges members of the group will not inherit these privileges.
    Just to be clear, role privileges are generally inherited (at least by default). However LOGIN, SUPERUSER, CREATEDB, and CREATEROLE are "special" privileges which are not. However, a user can still get access to those privileges by explicitly using SET ROLE.

    See this page for more info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •