On Fri, Feb 4, 2011 at 2:18 PM, David Johnston <polobo@yahoo.com> wrote: > Not to be smart about it but you could just logon as carlos (or a different > superuser you create for this purpose) and issue "Create Database xxx" and > "Create Role xxx" statements and see whether they work. A superuser should > (imo) be able to do everything (including dropping) without any additional > permissions required so unless you see that carlos cannot I would say you > are good.
Yes but I'm trying to understand the difference because the default 'postgres' user that is auto-configured to have 'SUPERUSER', 'CREATEDB', & 'CREATEROLE' grants. I'm trying to understand if those are redundant grants or if there is a reason PostgreSQL developers grant the 'postgres' user with SUPERUSER, CREATEDB, & CREATEROLE. Seems to me logically that if a someone is a superuser, then they should be able to CREATEDB & CREATEROLE, no? So why would the 'postgres' user need those additional attributes?
These all (SUPERUSER, CREATEDB, SUPERUSER) are role attributes. By performing ALTER ROLE postgres NOSUPERUSER it is possible to turn role with a superuser status into a role that just can create databases and manage roles (admin, but without superuser privileges).