If WITH ADMIN OPTION is specified, the member may
- in turn grant membership in the role to others. Without the admin
- option, the recipient cannot do that.
+ in turn grant membership in the role to others, and revoke membership
+ in the role as well. Without the admin option, ordinary users cannot do
+ that. However,
+ database superusers can grant or revoke membership in any role to anyone.
+ Roles having CREATEROLE privilege can grant or revoke
+ membership in any role that is not a superuser.
checks). To create such a role, use CREATE ROLE
name CREATEROLE.
A role with CREATEROLE privilege can alter and drop
- other roles, too. However, to alter or drop a superuser role,
- superuser status is required; CREATEROLE is not sufficient
- for that.
+ other roles, too, as well as grant or revoke membership in them.
+ However, to create, alter, drop, or change membership of a
+ superuser role, superuser status is required;
+ CREATEROLE is not sufficient for that.
endterm="sql-alterrole-title"> commands for details.
+
+ It is good practice to create a role that has the CREATEDB
+ and CREATEROLE privileges, but is not a superuser, and then
+ use this role for all routine management of databases and roles. This
+ approach avoids the dangers of operating as a superuser for tasks that
+ do not really require it.
+
+
+
A role can also have role-specific defaults for many of the run-time
configuration settings described in
projects / postgresql.git / commitdiff