|
1 | 1 | <!-- |
2 | | -$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.6 2005/12/23 16:46:39 petere Exp $ |
| 2 | +$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.7 2006/03/03 03:06:05 momjian Exp $ |
3 | 3 | PostgreSQL documentation |
4 | 4 | --> |
5 | 5 |
|
@@ -347,6 +347,19 @@ where <replaceable class="PARAMETER">option</replaceable> can be: |
347 | 347 | specified in the SQL standard. |
348 | 348 | </para> |
349 | 349 |
|
| 350 | + <para> |
| 351 | + Be careful with the <literal>CREATEROLE</> privilege. There is no concept of |
| 352 | + inheritance for the privileges of a <literal>CREATEROLE</>-role. That |
| 353 | + means that even if a role does not have a certain privilege but is allowed |
| 354 | + to create other roles, it can easily create another role with different |
| 355 | + privileges than its own (except for creating roles with superuser |
| 356 | + privileges). For example, if the role <quote>user</> has the |
| 357 | + <literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege, |
| 358 | + nonetheless it can create a new role with the <literal>CREATEDB</> |
| 359 | + privilege. Therefore, regard roles that have the <literal>CREATEROLE</> |
| 360 | + privilege as almost-superuser-roles. |
| 361 | + </para> |
| 362 | + |
350 | 363 | <para> |
351 | 364 | <productname>PostgreSQL</productname> includes a program <xref |
352 | 365 | linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has |
|