<para>

Managing database users and their privileges is in concept similar

tothatof Unix operatingsystems, butthen again not identical

enough to not warrant explanation.

tomanaging usersofaUnix operatingsystem, butthe details are not

identical.

</para>

<sect1 id="database-users">

<title>Database Users</title>

<para>

Database users are conceptually completely separate from any

Database users are conceptually completely separate from

operating system users. In practice it might be convenient to

maintain a correspondence, but this is not required. Database user

names are global across a database cluster installation (and not

<para>

For convenience, the shell scripts <filename>createuser</filename>

and <filename>dropuser</filename> are wrappers around these SQL

and <filename>dropuser</filename> areprovided aswrappers around these SQL

commands.

</para>

<command>initdb</command>) it will have the same name as the

operating system user that initialized the area (and is presumably

being used as the user that runs the server). Customarily, this user

will becalled <systemitem>postgres</systemitem>. In order to create more

users you have to first connect as this initial user.

will benamed <systemitem>postgres</systemitem>. In order to create more

users youfirsthave to connect as this initial user.

</para>

<para>

determined by the client authentication setup, as explained in

<xref linkend="client-authentication">. (Thus, a client is not

necessarily limited to connect as the user with the same name as

its operating system user in the same way a person is not

its operating system user, in the same way a person is not

constrained in its login name by her real name.)

</para>

<listitem>

<para>

A password is only significant if password authentication is

used for client authentication. Database passwordsa separate

fromanyoperating system passwords. Specify a password upon

usercreating as in<literal>CREATE USER name WITH PASSWORD

used for client authentication. Database passwordsare separate

from operating system passwords. Specify a password upon

usercreation with<literal>CREATE USER name PASSWORD

'string'</literal>.

</para>

</listitem>

</varlistentry>

</variablelist>

A user's attributes can be modified after creation with

<command>ALTER USER</command>.

See the reference pages for <command>CREATE USER</command> and

<command>ALTER USER</command> for details.

</para>

<title>Groups</title>

<para>

As in Unix, groups are a way of logically grouping users. To create

a group, use

As in Unix, groups are a way of logically grouping users to ease

management of permissions: permissions can be granted to, or revoked

from, a group as a whole. To create a group, use

<synopsis>

CREATE GROUP <replaceable>name</replaceable>

</synopsis>

To add users to or remove users from a group,respectively, user

To add users to or remove users from a group,use

<synopsis>

ALTER GROUP <replaceable>name</replaceable> ADD USER <replaceable>uname1</replaceable>, ...

ALTER GROUP <replaceable>name</replaceable> DROP USER <replaceable>uname1</replaceable>, ...

</programlisting>

The special <quote>user</quote> name <literal>PUBLIC</literal> can

be used to grant a privilege to every user on the system. Using

<literal>ALL</literal> in place of a privilege specifies that all

<literal>ALL</literal> in place of aspecificprivilege specifies that all

privileges will be granted.

</para>

<programlisting>

REVOKE ALL ON accounts FROM PUBLIC;

</programlisting>

Theset ofprivilegesheld bythe table owneris always implicit

and cannot be revoked.

Thespecialprivilegesofthe table ownerare always implicit

and cannot begranted orrevoked.

</para>

</sect1>