Giving limited superuser powers to specific users
The superuser role has some privileges that can also be granted to non-superuser roles separately.
To give the bob
role the ability to create new databases, run this:
ALTER ROLE BOB WITH CREATEDB;
To give the bob
role the ability to create new users, run the following:
ALTER ROLE BOB WITH CREATEROLE;
It is also possible to give ordinary users more fine-grained and controlled access to an action reserved for superusers using security definer
functions. The same trick can also be used to pass partial privileges between different users.
Getting ready
First, you must have access to the database as a superuser in order to delegate powers. Here, we assume the use of the default superuser named postgres
.
We will demonstrate two ways to make some superuser-only functionality available to a selected ordinary user.
How to do it…
An ordinary user cannot tell PostgreSQL to copy table data from a file. Only a superuser can do that, as follows:
pguser@hvost:~$ psql...