merlyn@stonehenge.com (Randal L. Schwartz) writes:
> Couldn't you create an INSERT rule on pg_password for the
> junior-superuser that narrowed the created users to only sensible
> permissions?
Obviously, if we invented a "create users" permission, it would have to
extend only to creating non-superuser users; you'd only want superusers
to be able to make more superusers.
But that's not really the point IMHO. As I understood the question,
it was about being able to delegate the right to create users *for
particular databases*. That can't be delegated because it doesn't
exist --- we have no concept of users restricted to only some databases
within an installation. (You can sort of fake it by restricting their
ability to connect in pg_hba.conf, but that's a pretty ugly approach,
and certainly not one that's available to anyone but the dbadmin.)
This should be improved, and probably will be in future. In the
meantime, though, I don't think a "create users" right would by itself
solve Tom's problem.
regards, tom lane