Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Vērot 1
Pievienot zvaigznīti 0
Vikivietne 捐赠
gooderp18绿色标准版
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
Koks: 0f75e31513
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/role-membership.html

107 rindas
8.4KB
Neapstrādāts Vainot Vēsture 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.3. Role Membership</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="role-attributes.html" title="21.2. Role Attributes" /><link rel="next" href="role-removal.html" title="21.4. Dropping Roles" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.3. Role Membership</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="role-attributes.html" title="21.2. Role Attributes">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><th width="60%" align="center">Chapter 21. Database Roles</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="role-removal.html" title="21.4. Dropping Roles">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="ROLE-MEMBERSHIP"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.3. Role Membership</h2></div></div></div><a id="id-1.6.8.7.2" class="indexterm"></a><p>

  3.    It is frequently convenient to group users together to ease

  4.    management of privileges: that way, privileges can be granted to, or

  5.    revoked from, a group as a whole.  In <span class="productname">PostgreSQL</span>

  6.    this is done by creating a role that represents the group, and then

  7.    granting <em class="firstterm">membership</em> in the group role to individual user

  8.    roles.

  9.   </p><p>

  10.    To set up a group role, first create the role:

  11. </p><pre class="synopsis">

  12. CREATE ROLE <em class="replaceable"><code>name</code></em>;

  13. </pre><p>

  14.    Typically a role being used as a group would not have the <code class="literal">LOGIN</code>

  15.    attribute, though you can set it if you wish.

  16.   </p><p>

  17.    Once the group role exists, you can add and remove members using the

  18.    <a class="xref" href="sql-grant.html" title="GRANT"><span class="refentrytitle">GRANT</span></a> and

  19.    <a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a> commands:

  20. </p><pre class="synopsis">

  21. GRANT <em class="replaceable"><code>group_role</code></em> TO <em class="replaceable"><code>role1</code></em>, ... ;

  22. REVOKE <em class="replaceable"><code>group_role</code></em> FROM <em class="replaceable"><code>role1</code></em>, ... ;

  23. </pre><p>

  24.    You can grant membership to other group roles, too (since there isn't

  25.    really any distinction between group roles and non-group roles).  The

  26.    database will not let you set up circular membership loops.  Also,

  27.    it is not permitted to grant membership in a role to

  28.    <code class="literal">PUBLIC</code>.

  29.   </p><p>

  30.    The members of a group role can use the privileges of the role in two

  31.    ways.  First, every member of a group can explicitly do

  32.    <a class="xref" href="sql-set-role.html" title="SET ROLE"><span class="refentrytitle">SET ROLE</span></a> to

  33.    temporarily <span class="quote">“<span class="quote">become</span>”</span> the group role.  In this state, the

  34.    database session has access to the privileges of the group role rather

  35.    than the original login role, and any database objects created are

  36.    considered owned by the group role not the login role.  Second, member

  37.    roles that have the <code class="literal">INHERIT</code> attribute automatically have use

  38.    of the privileges of roles of which they are members, including any

  39.    privileges inherited by those roles.

  40.    As an example, suppose we have done:

  41. </p><pre class="programlisting">

  42. CREATE ROLE joe LOGIN INHERIT;

  43. CREATE ROLE admin NOINHERIT;

  44. CREATE ROLE wheel NOINHERIT;

  45. GRANT admin TO joe;

  46. GRANT wheel TO admin;

  47. </pre><p>

  48.    Immediately after connecting as role <code class="literal">joe</code>, a database

  49.    session will have use of privileges granted directly to <code class="literal">joe</code>

  50.    plus any privileges granted to <code class="literal">admin</code>, because <code class="literal">joe</code>

  51.    <span class="quote">“<span class="quote">inherits</span>”</span> <code class="literal">admin</code>'s privileges.  However, privileges

  52.    granted to <code class="literal">wheel</code> are not available, because even though

  53.    <code class="literal">joe</code> is indirectly a member of <code class="literal">wheel</code>, the

  54.    membership is via <code class="literal">admin</code> which has the <code class="literal">NOINHERIT</code>

  55.    attribute.  After:

  56. </p><pre class="programlisting">

  57. SET ROLE admin;

  58. </pre><p>

  59.    the session would have use of only those privileges granted to

  60.    <code class="literal">admin</code>, and not those granted to <code class="literal">joe</code>.  After:

  61. </p><pre class="programlisting">

  62. SET ROLE wheel;

  63. </pre><p>

  64.    the session would have use of only those privileges granted to

  65.    <code class="literal">wheel</code>, and not those granted to either <code class="literal">joe</code>

  66.    or <code class="literal">admin</code>.  The original privilege state can be restored

  67.    with any of:

  68. </p><pre class="programlisting">

  69. SET ROLE joe;

  70. SET ROLE NONE;

  71. RESET ROLE;

  72. </pre><p>

  73.   </p><div class="note"><h3 class="title">Note</h3><p>

  74.     The <code class="command">SET ROLE</code> command always allows selecting any role

  75.     that the original login role is directly or indirectly a member of.

  76.     Thus, in the above example, it is not necessary to become

  77.     <code class="literal">admin</code> before becoming <code class="literal">wheel</code>.

  78.    </p></div><div class="note"><h3 class="title">Note</h3><p>

  79.     In the SQL standard, there is a clear distinction between users and roles,

  80.     and users do not automatically inherit privileges while roles do.  This

  81.     behavior can be obtained in <span class="productname">PostgreSQL</span> by giving

  82.     roles being used as SQL roles the <code class="literal">INHERIT</code> attribute, while

  83.     giving roles being used as SQL users the <code class="literal">NOINHERIT</code> attribute.

  84.     However, <span class="productname">PostgreSQL</span> defaults to giving all roles

  85.     the <code class="literal">INHERIT</code> attribute, for backward compatibility with pre-8.1

  86.     releases in which users always had use of permissions granted to groups

  87.     they were members of.

  88.    </p></div><p>

  89.    The role attributes <code class="literal">LOGIN</code>, <code class="literal">SUPERUSER</code>,

  90.    <code class="literal">CREATEDB</code>, and <code class="literal">CREATEROLE</code> can be thought of as

  91.    special privileges, but they are never inherited as ordinary privileges

  92.    on database objects are.  You must actually <code class="command">SET ROLE</code> to a

  93.    specific role having one of these attributes in order to make use of

  94.    the attribute.  Continuing the above example, we might choose to

  95.    grant <code class="literal">CREATEDB</code> and <code class="literal">CREATEROLE</code> to the

  96.    <code class="literal">admin</code> role.  Then a session connecting as role <code class="literal">joe</code>

  97.    would not have these privileges immediately, only after doing

  98.    <code class="command">SET ROLE admin</code>.

  99.   </p><p>

  100.   </p><p>

  101.    To destroy a group role, use <a class="xref" href="sql-droprole.html" title="DROP ROLE"><span class="refentrytitle">DROP ROLE</span></a>:

  102. </p><pre class="synopsis">

  103. DROP ROLE <em class="replaceable"><code>name</code></em>;

  104. </pre><p>

  105.    Any memberships in the group role are automatically revoked (but the

  106.    member roles are not otherwise affected).

  107.   </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="role-attributes.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="user-manag.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="role-removal.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.2. Role Attributes </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 21.4. Dropping Roles</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1