Re: [PATCHES] Users/Groups -> Roles - Mailing list pgsql-hackers

From Tom Lane
Subject Re: [PATCHES] Users/Groups -> Roles
Date
Msg-id 9992.1120237396@sss.pgh.pa.us
Whole thread Raw
In response to Re: [PATCHES] Users/Groups -> Roles  (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses Re: [PATCHES] Users/Groups -> Roles
List pgsql-hackers
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Stupid question, but how do roles relate to our existing "groups"?

As committed, roles subsume both users and groups: a role that permits
login (rolcanlogin) acts as a user, and a role that has members is a
group.  It is possible for the same role to do both things, though I'm
not sure that it's good security policy to set up a role that way.

The advantage over what we had is exactly that there isn't any
distinction, and thus groups can do everything users can and
vice versa:* groups can own objects* groups can contain other groups (we forbid loops though)

Also there is a notion of "admin option" for groups, which is like
"grant option" for privileges: you can designate certain members of
a group as being able to grant ownership in that group to others,
without having to make them superusers.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: [PATCHES] Users/Groups -> Roles
Next
From: Bruce Momjian
Date:
Subject: Re: [PATCHES] Users/Groups -> Roles