From b4794bfb541f1eb4507d45abbfae8ad00ebae1ce Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Fri, 16 Aug 2002 04:47:43 +0000
Subject: [PATCH] This patch improves the "Database Users and Permissions"
 section of the Administrator's Guide. This section needs a lot more work, but
 this is a start anyway...

Neil Conway
---
 doc/src/sgml/user-manag.sgml | 84 ++++++++++++++++++++----------------
 1 file changed, 47 insertions(+), 37 deletions(-)

diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 2103122cfe..27a6512174 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -1,10 +1,14 @@
-<Chapter id="user-manag">
+<!--
+$Header: /cvsroot/pgsql/doc/src/sgml/user-manag.sgml,v 1.14 2002/08/16 04:47:43 momjian Exp $
+-->
+
+<chapter id="user-manag">
  <title>Database Users and Permissions</title>
 
  <para>
   Managing database users and their privileges is in concept similar
-  to managing users of a Unix operating system, but the details are not
-  identical.
+  to managing the users of a Unix operating system, but the details
+  are not identical.
  </para>
 
  <sect1 id="database-users">
@@ -27,8 +31,8 @@ CREATE USER <replaceable>name</replaceable>
   </para>
 
   <para>
-   For convenience, the shell scripts <filename>createuser</filename>
-   and <filename>dropuser</filename> are provided as wrappers around these SQL
+   For convenience, the shell scripts <application>createuser</application>
+   and <application>dropuser</application> are provided as wrappers around these SQL
    commands.
   </para>
 
@@ -36,18 +40,18 @@ CREATE USER <replaceable>name</replaceable>
    In order to bootstrap the database system, a freshly initialized
    system always contains one predefined user. This user will have the
    fixed id 1, and by default (unless altered when running
-   <command>initdb</command>) it will have the same name as the
-   operating system user that initialized the area (and is presumably
-   being used as the user that runs the server). Customarily, this user
-   will be named <systemitem>postgres</systemitem>. In order to create more
-   users you first have to connect as this initial user.
+   <application>initdb</application>) it will have the same name as
+   the operating system user that initialized the database
+   cluster. Customarily, this user will be named
+   <systemitem>postgres</systemitem>. In order to create more users
+   you first have to connect as this initial user.
   </para>
 
   <para>
    The user name to use for a particular database connection is
    indicated by the client that is initiating the connection request
    in an application-specific fashion. For example, the
-   <command>psql</command> program uses the <option>-U</option>
+   <application>psql</application> program uses the <option>-U</option>
    command line option to indicate the user to connect as. The set of
    database users a given client connection may connect as is
    determined by the client authentication setup, as explained in
@@ -71,7 +75,7 @@ CREATE USER <replaceable>name</replaceable>
        <para>
         A database superuser bypasses all permission checks. Also,
         only a superuser can create new users. To create a database
-        superuser, use <literal>CREATE USER name
+        superuser, use <literal>CREATE USER <replaceable>name</replaceable>
         CREATEUSER</literal>.
        </para>
       </listitem>
@@ -83,8 +87,8 @@ CREATE USER <replaceable>name</replaceable>
        <para>
         A user must be explicitly given permission to create databases
         (except for superusers, since those bypass all permission
-        checks). To create such a user, use <literal>CREATE USER name
-        CREATEDB</literal>.
+        checks). To create such a user, use <literal>CREATE USER
+        <replaceable>name</replaceable> CREATEDB</literal>.
        </para>
       </listitem>
      </varlistentry>
@@ -93,11 +97,14 @@ CREATE USER <replaceable>name</replaceable>
       <term>password</term>
       <listitem>
        <para>
-        A password is only significant if password authentication is
-        used for client authentication. Database passwords are separate
-        from operating system passwords. Specify a password upon
-        user creation with <literal>CREATE USER name PASSWORD
-        'string'</literal>.
+        A password is only significant if the client authentication
+        method requires the user to supply a password when connecting
+        to the database. At present, the <option>password</>,
+        <option>md5</>, and <option>crypt</> authentication methods
+        make use of passwords. Database passwords are separate from
+        operating system passwords. Specify a password upon user
+        creation with <literal>CREATE USER
+        <replaceable>name</replaceable> PASSWORD 'string'</literal>. 
        </para>
       </listitem>
      </varlistentry>
@@ -134,26 +141,29 @@ ALTER GROUP <replaceable>name</replaceable> DROP USER <replaceable>uname1</repla
 
   <para>
    When a database object is created, it is assigned an owner. The
-   owner is the user that executed the creation statement. There is
-   currently no polished interface for changing the owner of a database
-   object (except for tables, for which <command>ALTER TABLE</> can do it).
-   By default, only an owner (or a superuser) can do anything
-   with the object. In order to allow other users to use it,
-   <firstterm>privileges</firstterm> must be granted.
+   owner is the user that executed the creation statement. To change
+   the owner of a table, index, sequence, or view, use the
+   <command>ALTER TABLE</command> command. By default, only an owner
+   (or a superuser) can do anything with the object. In order to allow
+   other users to use it, <firstterm>privileges</firstterm> must be
+   granted.
   </para>
 
   <para>
-   There are several different privileges: <literal>SELECT</literal>
-   (read), <literal>INSERT</literal> (append), <literal>UPDATE</literal>
-   (write), <literal>DELETE</literal>, <literal>RULE</literal>,
-   <literal>REFERENCES</literal> (foreign key), and
-   <literal>TRIGGER</literal>. (See the <command>GRANT</command> manual
-   page for more detailed information.) The right to modify or destroy
-   an object is always the privilege of the owner only. To assign
-   privileges, the <command>GRANT</command> command is used. So, if
-   <literal>joe</literal> is an existing user, and
-   <literal>accounts</literal> is an existing table, write access can be
-   granted with
+   There are several different privileges: <literal>SELECT</>,
+   <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
+   <literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
+   <literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
+   <literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For more
+   information on the different types of privileges support by
+   <productname>PostgreSQL</productname>, refer to the
+   <command>GRANT</command> reference manual. The right to modify or
+   destroy an object is always the privilege of the owner only. To
+   assign privileges, the <command>GRANT</command> command is
+   used. So, if <literal>joe</literal> is an existing user, and
+   <literal>accounts</literal> is an existing table, the privilege to
+   update the table can be granted with
+
 <programlisting>
 GRANT UPDATE ON accounts TO joe;
 </programlisting>
@@ -210,4 +220,4 @@ REVOKE ALL ON accounts FROM PUBLIC;
 
  </sect1>
 
-</Chapter>
+</chapter>
-- 
2.40.0