|
1 | 1 | <!-- |
2 | | -$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.30 2005/08/14 23:35:37 tgl Exp $ |
| 2 | +$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.31 2005/10/13 23:26:00 tgl Exp $ |
3 | 3 | --> |
4 | 4 |
|
5 | 5 | <chapter id="user-manag"> |
@@ -203,9 +203,10 @@ CREATE USER <replaceable>name</replaceable>; |
203 | 203 | checks). To create such a role, use <literal>CREATE ROLE |
204 | 204 | <replaceable>name</replaceable> CREATEROLE</literal>. |
205 | 205 | A role with <literal>CREATEROLE</> privilege can alter and drop |
206 | | - other roles, too. However, to alter or drop a superuser role, |
207 | | - superuser status is required; <literal>CREATEROLE</> is not sufficient |
208 | | - for that. |
| 206 | + other roles, too, as well as grant or revoke membership in them. |
| 207 | + However, to create, alter, drop, or change membership of a |
| 208 | + superuser role, superuser status is required; |
| 209 | + <literal>CREATEROLE</> is not sufficient for that. |
209 | 210 | </para> |
210 | 211 | </listitem> |
211 | 212 | </varlistentry> |
@@ -234,6 +235,16 @@ CREATE USER <replaceable>name</replaceable>; |
234 | 235 | endterm="sql-alterrole-title"> commands for details. |
235 | 236 | </para> |
236 | 237 |
|
| 238 | + <tip> |
| 239 | + <para> |
| 240 | + It is good practice to create a role that has the <literal>CREATEDB</> |
| 241 | + and <literal>CREATEROLE</> privileges, but is not a superuser, and then |
| 242 | + use this role for all routine management of databases and roles. This |
| 243 | + approach avoids the dangers of operating as a superuser for tasks that |
| 244 | + do not really require it. |
| 245 | + </para> |
| 246 | + </tip> |
| 247 | + |
237 | 248 | <para> |
238 | 249 | A role can also have role-specific defaults for many of the run-time |
239 | 250 | configuration settings described in <xref |
|