Re: adding a user with the permission to create trimmed users

> I want to know whether there exist the possibility to create a user who has
> the permission to create users with preset limited permissions.
>
> In detail:
> I do not want that the admin user (a separate limited one for the customer)
> is able to create full admin users or adequate ones.

It's likely possible. There might be a better reference but you might want
to read this: (Look for Tom Lane's post)

http://archives.devshed.com/forums/databases-124/anyone-know-a-good-
opensource-crm-that-actually-installs-with-2217243-2.html

Following his example:

     create or replace function makeuser(text, text) returns void as $$
     begin  execute 'create role ' || quote_ident($1) || ' login password '
     || quote_literal($2) ; end$$ language plpgsql security definer;

then you can

      create role a_group;
      grant select,insert,update on a_table to a_group with grant option;
      alter group a_group add user a_user;

so a_user can now

         select makeuser('b_user','b_password');
         grant select on a_table to b_user;


There might be a better way though.

If you're on 8.1 and upwards, createrole is not separate from superuser.
But it seemed if a user is given createrole, even though he's not given
the superuser, s/he can drop other users (who s/he didn't create.) So
alter user...createuser may not fit here. Please correct me if I'm wrong.


HTH


Ben K.
Developer
http://benix.tamu.edu