Thread: [ADMIN] CREATE ANY TABLE privileges, etc
Good morning,
I've had a request to create a user that can create tables and schemas anywhere in this dev database. I know I could just make that user a SUPERUSER but wondering if there's anything short of that that seems more responsible. Again, this would only be in DEV so I'm not nearly as concerned giving them a superuser, assuming they haven't shown a track record of reckless behavior.
I'm thinking of privileges like Oracle's CREATE ANY TABLE, etc. vs granting them the DBA role.
On Tue, Aug 15, 2017 at 9:15 AM, Don Seiler <don@seiler.us> wrote:
Good morning,I've had a request to create a user that can create tables and schemas anywhere in this dev database. I know I could just make that user a SUPERUSER but wondering if there's anything short of that that seems more responsible. Again, this would only be in DEV so I'm not nearly as concerned giving them a superuser, assuming they haven't shown a track record of reckless behavior.I'm thinking of privileges like Oracle's CREATE ANY TABLE, etc. vs granting them the DBA role.
Easiest thing would be to grant ownership of that database to the user. That won't grant privileges to any existing objects, but will allow new schemas to be made by that user, which will in turn allow objects to be made in those schema that user creates.
Otherwise, there is the GRANT CREATE ON DATABASE ... command which will essentially do the same thing and allow schemas to be created.
https://www.postgresql.org/docs/9.6/static/sql-grant.html
https://www.postgresql.org/docs/9.6/static/sql-grant.html
Keith
On Tue, Aug 15, 2017 at 9:08 AM, Keith <keith@keithf4.com> wrote:
-- Easiest thing would be to grant ownership of that database to the user. That won't grant privileges to any existing objects, but will allow new schemas to be made by that user, which will in turn allow objects to be made in those schema that user creates.
I ended up granting the role that owns the DB to the user. Sounds similar to what you suggested? I'm waiting to hear from the dev if it does what he needs.
Thanks,
Don.
Don Seiler
www.seiler.us
www.seiler.us
Keith <keith@keithf4.com> writes: > On Tue, Aug 15, 2017 at 9:15 AM, Don Seiler <don@seiler.us> wrote: > > Good morning, > > I've had a request to create a user that can create tables and > schemas anywhere in this dev database. I know I could just make > that user a SUPERUSER but wondering if there's anything short of > that that seems more responsible. Again, this would only be in > DEV so I'm not nearly as concerned giving them a superuser, > assuming they haven't shown a track record of reckless behavior. > > I'm thinking of privileges like Oracle's CREATE ANY TABLE, etc. > vs granting them the DBA role. > > Don. > > -- > Don Seiler > www.seiler.us > > > Easiest thing would be to grant ownership of that database to the > user. That won't grant privileges to any existing objects, but will > allow new schemas to be made by that user, which will in turn allow > objects to be made in those schema that user creates. Hmmm? Often DB objects will be owned by whichever owner role... Thus, granting that role to some other user does indeed give that user full access to same objects as per whatever grants are established on them to the owner. By default, owner has all privileges but this can be changed. HTH > Otherwise, there is the GRANT CREATE ON DATABASE ... command which > will essentially do the same thing and allow schemas to be created. > > https://www.postgresql.org/docs/9.6/static/sql-grant.html > > Keith > > -- Jerry Sievers Postgres DBA/Development Consulting e: postgres.consulting@comcast.net p: 312.241.7800