Bruce Momjian <pgman@candle.pha.pa.us> writes: > Stupid question, but how do roles relate to our existing "groups"?
As committed, roles subsume both users and groups: a role that permits login (rolcanlogin) acts as a user, and a role that has members is a group. It is possible for the same role to do both things, though I'm not sure that it's good security policy to set up a role that way. The advantage over what we had is exactly that there isn't any distinction, and thus groups can do everything users can and vice versa: * groups can own objects * groups can contain other groups (we forbid loops though) Also there is a notion of "admin option" for groups, which is like "grant option" for privileges: you can designate certain members of a group as being able to grant ownership in that group to others, without having to make them superusers. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq