diff options
Diffstat (limited to 'doc/src/sgml/ref')
| -rw-r--r-- | doc/src/sgml/ref/alter_role.sgml | 2 | ||||
| -rw-r--r-- | doc/src/sgml/ref/create_role.sgml | 10 | ||||
| -rw-r--r-- | doc/src/sgml/ref/createuser.sgml | 18 |
3 files changed, 19 insertions, 11 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index 33ac7327070..8a8f8281375 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -320,7 +320,7 @@ ALTER ROLE fred VALID UNTIL 'infinity'; </para> <para> - Give a role the ability to create other roles and new databases: + Give a role the ability to manage other roles and create new databases: <programlisting> ALTER ROLE miriam CREATEROLE CREATEDB; diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index 029a1933615..1ccc8325588 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -119,11 +119,11 @@ in sync when changing the above synopsis! <listitem> <para> These clauses determine whether a role will be permitted to - create new roles (that is, execute <command>CREATE ROLE</command>). - A role with <literal>CREATEROLE</literal> privilege can also alter - and drop other roles. - If not specified, - <literal>NOCREATEROLE</literal> is the default. + create, alter, drop, comment on, change the security label for, + and grant or revoke membership in other roles. + See <xref linkend='role-creation' /> for more details about what + capabilities are conferred by this privilege. + If not specified, <literal>NOCREATEROLE</literal> is the default. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml index c6a7c603f78..a41a2b24e6c 100644 --- a/doc/src/sgml/ref/createuser.sgml +++ b/doc/src/sgml/ref/createuser.sgml @@ -41,10 +41,14 @@ PostgreSQL documentation </para> <para> - If you wish to create a new superuser, you must connect as a - superuser, not merely with <literal>CREATEROLE</literal> privilege. + If you wish to create a role with the <literal>SUPERUSER</literal>, + <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> privilege, + you must connect as a superuser, not merely with + <literal>CREATEROLE</literal> privilege. Being a superuser implies the ability to bypass all access permission - checks within the database, so superuser access should not be granted lightly. + checks within the database, so superuser access should not be granted + lightly. <literal>CREATEROLE</literal> also conveys + <link linkend='role-creation'>very extensive privileges</link>. </para> <para> @@ -247,8 +251,12 @@ PostgreSQL documentation <term><option>--createrole</option></term> <listitem> <para> - The new user will be allowed to create new roles (that is, - this user will have <literal>CREATEROLE</literal> privilege). + The new user will be allowed to create, alter, drop, comment on, + change the security label for, and grant or revoke membership in + other roles; that is, + this user will have <literal>CREATEROLE</literal> privilege. + See <xref linkend='role-creation' /> for more details about what + capabilities are conferred by this privilege. </para> </listitem> </varlistentry> |