0

Using PostgreSQL and would like to have only admins have the ability to create new users. While allowing some non-admin users read-write access to our tables.

I cannot find a way to get this done. I have a role called webuser to which I gave:

GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO webuser;

But now webuser has access to call CREATE USER and GRANT ROLE also. How can I remove access from webuser to do user-management operations while allowing SELECT, INSERT, UPDATE, DELETE on our database tables?

Improve this question
1
  • That grant does most definitely not grant the createuser privilege. Commented Jul 2, 2020 at 6:02

1 Answer 1

Reset to default
2

A user can only create other users if it has the createrole property: this property is not assigned by default when creating a user.

Doc. says:

CREATEROLE NOCREATEROLE

These clauses determine whether a role will be permitted to create new roles (that is, execute CREATE ROLE). A role with CREATEROLE privilege can also alter and drop other roles. If not specified, NOCREATEROLE is the default.

Either the user has been created with createrole or a superuser has run: alter user webuser createrole.

To revoke that privilege run alter user webuser nocreaterole

NB:

CREATE USER is now an alias for CREATE ROLE. The only difference is that when the command is spelled CREATE USER, LOGIN is assumed by default, whereas NOLOGIN is assumed when the command is spelled CREATE ROLE.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.