Re: Delegating User creation

merlyn@stonehenge.com (Randal L. Schwartz) writes:
> Couldn't you create an INSERT rule on pg_password for the
> junior-superuser that narrowed the created users to only sensible
> permissions?

Obviously, if we invented a "create users" permission, it would have to
extend only to creating non-superuser users; you'd only want superusers
to be able to make more superusers.

But that's not really the point IMHO.  As I understood the question,
it was about being able to delegate the right to create users *for
particular databases*.  That can't be delegated because it doesn't
exist --- we have no concept of users restricted to only some databases
within an installation.  (You can sort of fake it by restricting their
ability to connect in pg_hba.conf, but that's a pretty ugly approach,
and certainly not one that's available to anyone but the dbadmin.)

This should be improved, and probably will be in future.  In the
meantime, though, I don't think a "create users" right would by itself
solve Tom's problem.

            regards, tom lane