First, the superuser role has some privileges, which can also be granted to non-superuser roles separately.
To give the bob
role the ability to create new databases, run this:
ALTER ROLE BOB WITH CREATEDB;
To give the bob
role the ability to create new users, run the following:
ALTER ROLE BOB WITH CREATEUSER;
However, it is also possible to give ordinary users more fine-grained and controlled access to some action reserved for superusers, using SECURITY DEFINER functions. The same trick can also be used to pass partial privileges between different users.
First, you must have access to the database as a superuser in order to delegate some powers. Here, we assume the use of the default superuser named postgres
.
We will demonstrate two cases of making some superuser-only functionality available to select an ordinary user.
The database must have support for the PL/pgSQL embedded language installed. Starting from PostgreSQL 9.0, the...