Improve documentation about CREATEROLE privilege.

41273476 · Tom Lane · 35c89833 · 41273476 · 41273476
Commit 41273476 authored Oct 13, 2005 by Tom Lane
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 7 deletions

doc/src/sgml/ref/grant.sgml doc/src/sgml/ref/grant.sgml +7 -3

doc/src/sgml/user-manag.sgml doc/src/sgml/user-manag.sgml +15 -4

No files found.
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.48 2005/07/26 23:24:02 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.49 2005/10/13 23:26:00 tgl Exp $
 PostgreSQL documentation
 -->
@@ -293,8 +293,12 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
  <para>
   If <literal>WITH ADMIN OPTION</literal> is specified, the member may
-   in turn grant membership in the role to others.  Without the admin
+   in turn grant membership in the role to others, and revoke membership
-   option, the recipient cannot do that.
+   in the role as well.  Without the admin option, ordinary users cannot do
+   that.  However,
+   database superusers can grant or revoke membership in any role to anyone.
+   Roles having <literal>CREATEROLE</> privilege can grant or revoke
+   membership in any role that is not a superuser.
  </para>
 </refsect2>
 </refsect1>

--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.30 2005/08/14 23:35:37 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.31 2005/10/13 23:26:00 tgl Exp $
 -->
 <chapter id="user-manag">
@@ -203,9 +203,10 @@ CREATE USER <replaceable>name</replaceable>;
        checks). To create such a role, use <literal>CREATE ROLE
        <replaceable>name</replaceable> CREATEROLE</literal>.
        A role with <literal>CREATEROLE</> privilege can alter and drop
-        other roles, too.  However, to alter or drop a superuser role,
+        other roles, too, as well as grant or revoke membership in them.
-        superuser status is required; <literal>CREATEROLE</> is not sufficient
+        However, to create, alter, drop, or change membership of a
-        for that.
+        superuser role, superuser status is required;
+        <literal>CREATEROLE</> is not sufficient for that.
       </para>
      </listitem>
     </varlistentry>
@@ -234,6 +235,16 @@ CREATE USER <replaceable>name</replaceable>;
    endterm="sql-alterrole-title"> commands for details.
   </para>
+  <tip>
+   <para>
+    It is good practice to create a role that has the <literal>CREATEDB</>
+    and <literal>CREATEROLE</> privileges, but is not a superuser, and then
+    use this role for all routine management of databases and roles.  This
+    approach avoids the dangers of operating as a superuser for tasks that
+    do not really require it.
+   </para>
+  </tip>
  <para>
   A role can also have role-specific defaults for many of the run-time
   configuration settings described in <xref