These clauses determine whether a role will be permitted to
- create new roles (that is, execute CREATE ROLE ).
- A role with CREATEROLE privilege can also alter
- and drop other roles.
- If not specified,
- NOCREATEROLE is the default.
+ create, alter, drop, comment on, change the security label for,
+ and grant or revoke membership in other roles.
+ See
+ capabilities are conferred by this privilege.
+ If not specified, NOCREATEROLE is the default.
- If you wish to create a new superuser, you must connect as a
- superuser, not merely with CREATEROLE privilege.
+ If you wish to create a role with the SUPERUSER ,
+ REPLICATION , or BYPASSRLS privilege,
+ you must connect as a superuser, not merely with
+ CREATEROLE privilege.
Being a superuser implies the ability to bypass all access permission
- checks within the database, so superuser access should not be granted lightly.
+ checks within the database, so superuser access should not be granted
+ lightly. CREATEROLE also conveys
+ very extensive privileges.
--createrole
- The new user will be allowed to create new roles (that is,
- this user will have CREATEROLE privilege).
+ The new user will be allowed to create, alter, drop, comment on,
+ change the security label for, and grant or revoke membership in
+ other roles; that is,
+ this user will have CREATEROLE privilege.
+ See
+ capabilities are conferred by this privilege.
-
role creationrole privilege to create +
id='role-creation'>role creationrole privilege to create
A role must be explicitly given permission to create more roles
name CREATEROLE.
A role with CREATEROLE privilege can alter and drop
other roles, too, as well as grant or revoke membership in them.
- However, to create, alter, drop, or change membership of a
- superuser role, superuser status is required;
- CREATEROLE is insufficient for that.
+ Altering a role includes most changes that can be made using
+ ALTER ROLE , including, for example, changing
+ passwords. It also includes modifications to a role that can
+ be made using the COMMENT and
+ SECURITY LABEL commands.
+
+ However, CREATEROLE does not convey the ability to
+ create SUPERUSER roles, nor does it convey any
+ power over SUPERUSER roles that already exist.
+ Furthermore, CREATEROLE does not convey the power
+ to create REPLICATION users, nor the ability to
+ grant or revoke the REPLICATION privilege, nor the
+ ability to modify the role properties of such users. However, it does
+ allow ALTER ROLE ... SET and
+ ALTER ROLE ... RENAME to be used on
+ REPLICATION roles, as well as the use of
+ COMMENT ON ROLE ,
+ SECURITY LABEL ON ROLE ,
+ and DROP ROLE .
+ Finally, CREATEROLE does not
+ confer the ability to grant or revoke the BYPASSRLS
+ privilege.
+
+ Because the CREATEROLE privilege allows a user
+ to grant or revoke membership even in roles to which it does not (yet)
+ have any access, a CREATEROLE user can obtain access
+ to the capabilities of every predefined role in the system, including
+ highly privileged roles such as
+ pg_execute_server_program and
+ pg_write_server_files .
and
-
- It is good practice to create a role that has the CREATEDB
- and CREATEROLE privileges, but is not a superuser, and then
- use this role for all routine management of databases and roles. This
- approach avoids the dangers of operating as a superuser for tasks that
- do not really require it.
-
-
-
A role can also have role-specific defaults for many of the run-time
configuration settings described in
projects / postgresql.git / commitdiff