-
+
+
+
Database Users and Permissions
Managing database users and their privileges is in concept similar
- to managing users of a Unix operating system, but the details are not
- identical.
+ to managing the users of a Unix operating system, but the details
+ are not identical.
- For convenience, the shell scripts <filename>createuser>
- and <filename>dropuser> are provided as wrappers around these SQL
+ For convenience, the shell scripts <application>createuser>
+ and <application>dropuser> are provided as wrappers around these SQL
commands.
In order to bootstrap the database system, a freshly initialized
system always contains one predefined user. This user will have the
fixed id 1, and by default (unless altered when running
- <command>initdb) it will have the same name as the
- operating system user that initialized the area (and is presumably
- being used as the user that runs the server). Customarily, this user
- will be named postgres. In order to create more
- users you first have to connect as this initial user.
+ <application>initdb) it will have the same name as
+ the operating system user that initialized the database
+ cluster. Customarily, this user will be named
+ postgres. In order to create more users
+ you first have to connect as this initial user.
The user name to use for a particular database connection is
indicated by the client that is initiating the connection request
in an application-specific fashion. For example, the
- <command>psql> program uses the
+ <application>psql> program uses the
command line option to indicate the user to connect as. The set of
database users a given client connection may connect as is
determined by the client authentication setup, as explained in
A database superuser bypasses all permission checks. Also,
only a superuser can create new users. To create a database
- superuser, use CREATE USER name
+ superuser, use CREATE USER name
CREATEUSER.
A user must be explicitly given permission to create databases
(except for superusers, since those bypass all permission
- checks). To create such a user, use CREATE USER name
- CREATEDB.
+ checks). To create such a user, use CREATE USER
+ name CREATEDB.
password
- A password is only significant if password authentication is
- used for client authentication. Database passwords are separate
- from operating system passwords. Specify a password upon
- user creation with CREATE USER name PASSWORD
- 'string'.
+ A password is only significant if the client authentication
+ method requires the user to supply a password when connecting
+ to the database. At present, the
+
+ make use of passwords. Database passwords are separate from
+ operating system passwords. Specify a password upon user
+ creation with CREATE USER
+ name PASSWORD 'string'.
When a database object is created, it is assigned an owner. The
- owner is the user that executed the creation statement. There is
- currently no polished interface for changing the owner of a database
- object (except for tables, for which ALTER TABLE can do it).
- By default, only an owner (or a superuser) can do anything
- with the object. In order to allow other users to use it,
- privileges must be granted.
+ owner is the user that executed the creation statement. To change
+ the owner of a table, index, sequence, or view, use the
+ ALTER TABLE command. By default, only an owner
+ (or a superuser) can do anything with the object. In order to allow
+ other users to use it, privileges must be
+ granted.
- There are several different privileges: SELECT
- (read), INSERT (append), UPDATE
- (write), DELETE, RULE,
- REFERENCES (foreign key), and
- TRIGGER. (See the GRANT manual
- page for more detailed information.) The right to modify or destroy
- an object is always the privilege of the owner only. To assign
- privileges, the GRANT command is used. So, if
- joe is an existing user, and
- accounts is an existing table, write access can be
- granted with
+ There are several different privileges: SELECT,
+ INSERT, UPDATE, DELETE,
+ RULE, REFERENCES, TRIGGER,
+ CREATE, TEMPORARY, EXECUTE,
+ USAGE, and ALL PRIVILEGES. For more
+ information on the different types of privileges support by
+
PostgreSQL, refer to the
+ GRANT reference manual. The right to modify or
+ destroy an object is always the privilege of the owner only. To
+ assign privileges, the GRANT command is
+ used. So, if joe is an existing user, and
+ accounts is an existing table, the privilege to
+ update the table can be granted with
+
GRANT UPDATE ON accounts TO joe;
-Chapter>
+chapter>
projects / postgresql.git / commitdiff