| From: | PG Doc comments form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-docs(at)lists(dot)postgresql(dot)org |
| Cc: | shen(at)oneshen(dot)com |
| Subject: | CREATEROLE Inheritance |
| Date: | 2023-07-18 13:21:35 |
| Message-ID: | 168968649532.632.17678694767510635173@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/15/role-membership.html
Description:
Regarding this paragraph: "The role attributes LOGIN, SUPERUSER, CREATEDB,
and CREATEROLE can be thought of as special privileges, but they are never
inherited as ordinary privileges on database objects are. You must actually
SET ROLE to a specific role having one of these attributes in order to make
use of the attribute. Continuing the above example, we might choose to grant
CREATEDB and CREATEROLE to the admin role. Then a session connecting as role
joe would not have these privileges immediately, only after doing SET ROLE
admin."
I have checked this for CREATEROLE and this role attribute is definitely
inheritable. I've created a new user with CREATE ROLE and no additional
options. I've tried to create a role and could not. Then I made this user a
member of a role that have the CREATEROLE attribute set to TRUE (with GRANT
user_with_createrole TO new_user). With the same new user I could now create
new roles. This has to mean inheritance works for this attribute.
I am using DataGrip IDE and made sure in the output window that the program
does not issue a 'SET ROLE' command before attempting to create a role. So
creating a new role worked with the new user (by inheritance) without using
'SET ROLE' before.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-07-18 16:00:49 | Re: Bug in documentation: https://www.postgresql.org/docs/current/spi-examples.html |
| Previous Message | PG Doc comments form | 2023-07-18 11:43:44 | IN for records |