1- <Chapter id="user-manag">
1+ <!--
2+ $Header: /cvsroot/pgsql/doc/src/sgml/user-manag.sgml,v 1.14 2002/08/16 04:47:43 momjian Exp $
3+ -->
4+
5+ <chapter id="user-manag">
26 <title>Database Users and Permissions</title>
37
48 <para>
59 Managing database users and their privileges is in concept similar
6- to managing users of a Unix operating system, but the details are not
7- identical.
10+ to managingthe users of a Unix operating system, but the details
11+ are not identical.
812 </para>
913
1014 <sect1 id="database-users">
@@ -27,27 +31,27 @@ CREATE USER <replaceable>name</replaceable>
2731 </para>
2832
2933 <para>
30- For convenience, the shell scripts <filename >createuser</filename >
31- and <filename >dropuser</filename > are provided as wrappers around these SQL
34+ For convenience, the shell scripts <application >createuser</application >
35+ and <application >dropuser</application > are provided as wrappers around these SQL
3236 commands.
3337 </para>
3438
3539 <para>
3640 In order to bootstrap the database system, a freshly initialized
3741 system always contains one predefined user. This user will have the
3842 fixed id 1, and by default (unless altered when running
39- <command >initdb</command >) it will have the same name as the
40- operating system user that initialized thearea (and is presumably
41- being used as the user that runs the server) . Customarily, this user
42- will be named <systemitem>postgres</systemitem>. In order to create more
43- users you first have to connect as this initial user.
43+ <application >initdb</application >) it will have the same name as
44+ the operating system user that initialized thedatabase
45+ cluster . Customarily, this user will be named
46+ <systemitem>postgres</systemitem>. In order to create more users
47+ you first have to connect as this initial user.
4448 </para>
4549
4650 <para>
4751 The user name to use for a particular database connection is
4852 indicated by the client that is initiating the connection request
4953 in an application-specific fashion. For example, the
50- <command >psql</command > program uses the <option>-U</option>
54+ <application >psql</application > program uses the <option>-U</option>
5155 command line option to indicate the user to connect as. The set of
5256 database users a given client connection may connect as is
5357 determined by the client authentication setup, as explained in
@@ -71,7 +75,7 @@ CREATE USER <replaceable>name</replaceable>
7175 <para>
7276 A database superuser bypasses all permission checks. Also,
7377 only a superuser can create new users. To create a database
74- superuser, use <literal>CREATE USER name
78+ superuser, use <literal>CREATE USER<replaceable> name</replaceable>
7579 CREATEUSER</literal>.
7680 </para>
7781 </listitem>
@@ -83,8 +87,8 @@ CREATE USER <replaceable>name</replaceable>
8387 <para>
8488 A user must be explicitly given permission to create databases
8589 (except for superusers, since those bypass all permission
86- checks). To create such a user, use <literal>CREATE USER name
87- CREATEDB</literal>.
90+ checks). To create such a user, use <literal>CREATE USER
91+ <replaceable>name</replaceable> CREATEDB</literal>.
8892 </para>
8993 </listitem>
9094 </varlistentry>
@@ -93,11 +97,14 @@ CREATE USER <replaceable>name</replaceable>
9397 <term>password</term>
9498 <listitem>
9599 <para>
96- A password is only significant if password authentication is
97- used for client authentication. Database passwords are separate
98- from operating system passwords. Specify a password upon
99- user creation with <literal>CREATE USER name PASSWORD
100- 'string'</literal>.
100+ A password is only significant if the client authentication
101+ method requires the user to supply a password when connecting
102+ to the database. At present, the <option>password</>,
103+ <option>md5</>, and <option>crypt</> authentication methods
104+ make use of passwords. Database passwords are separate from
105+ operating system passwords. Specify a password upon user
106+ creation with <literal>CREATE USER
107+ <replaceable>name</replaceable> PASSWORD 'string'</literal>.
101108 </para>
102109 </listitem>
103110 </varlistentry>
@@ -134,26 +141,29 @@ ALTER GROUP <replaceable>name</replaceable> DROP USER <replaceable>uname1</repla
134141
135142 <para>
136143 When a database object is created, it is assigned an owner. The
137- owner is the user that executed the creation statement.There is
138- currently no polished interface for changing the owner of a database
139- object (except for tables, for which <command>ALTER TABLE</> can do it).
140- By default, only an owner (or a superuser) can do anything
141- with the object. In order to allow other users to use it,
142- <firstterm>privileges</firstterm> must be granted.
144+ owner is the user that executed the creation statement.To change
145+ the owner of a table, index, sequence, or view, use the
146+ <command>ALTER TABLE</command> command. By default, only an owner
147+ (or a superuser) can do anything with the object. In order to allow
148+ other users to use it, <firstterm>privileges</firstterm> must be
149+ granted.
143150 </para>
144151
145152 <para>
146- There are several different privileges: <literal>SELECT</literal>
147- (read), <literal>INSERT</literal> (append), <literal>UPDATE</literal>
148- (write), <literal>DELETE</literal>, <literal>RULE</literal>,
149- <literal>REFERENCES</literal> (foreign key), and
150- <literal>TRIGGER</literal>. (See the <command>GRANT</command> manual
151- page for more detailed information.) The right to modify or destroy
152- an object is always the privilege of the owner only. To assign
153- privileges, the <command>GRANT</command> command is used. So, if
154- <literal>joe</literal> is an existing user, and
155- <literal>accounts</literal> is an existing table, write access can be
156- granted with
153+ There are several different privileges: <literal>SELECT</>,
154+ <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
155+ <literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
156+ <literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
157+ <literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For more
158+ information on the different types of privileges support by
159+ <productname>PostgreSQL</productname>, refer to the
160+ <command>GRANT</command> reference manual. The right to modify or
161+ destroy an object is always the privilege of the owner only. To
162+ assign privileges, the <command>GRANT</command> command is
163+ used. So, if <literal>joe</literal> is an existing user, and
164+ <literal>accounts</literal> is an existing table, the privilege to
165+ update the table can be granted with
166+
157167<programlisting>
158168GRANT UPDATE ON accounts TO joe;
159169</programlisting>
@@ -210,4 +220,4 @@ REVOKE ALL ON accounts FROM PUBLIC;
210220
211221 </sect1>
212222
213- </Chapter >
223+ </chapter >