example for grant_options
christiangierschner opened this issue · 3 comments
Hello,
thanks for this awesome software...
can someone please share an example for grant_options: in the config file...
i want a user to become SUPERUSER based on the group he is in...
can somebody please help me?
thanks and merry christmas :)
Greetings
Christian
I added a comment to the config file to describe the option. However it is not usable for the SUPERUSER attribute. Only for the "WITH ADMIN OPTION" attribute, which makes seldom sense for synchronized users.
The first idea to make all users in a group SUPERUSERs would be to make the group SUPERUSER. Unfortunately the SUPERUSER attribute isn't inherited, so that this idea doesn't work.
There is (currently) no way to set specific role attributes based on LDAP attributes.
The only option is to grant the SUPERUSER attribute to each specific user per ALTER USER <user> WITH SUPERUSER manually.
By the way: Although SUPERUSER is often preferred for simplicity, the role management of PostgreSQL is mature enough to do most data and schema manipulations without any need for SUPERUSER. ALTER DEFAULT PRIVILEGES can be used to grant permissions to specific roles, which are responsible for the database or schema.
In the company I work for we only have only 3 admins for the database server and they are called only in emergency cases. All other management operations on our primary PostgreSQL server are done by ordinary users with their permissions based on the groups they belong to.
thanks for your fast reply...
any tipps on how to automate privileges based on ADMIN and USER group? I suppose your tool can't do so?