Re: Roles inherited from a role which is the owner of a database can drop it?

Greetings,

* Ivan Voras (ivoras(at)gmail(dot)com) wrote:
> On 30 October 2017 at 22:10, David G. Johnston <david(dot)g(dot)johnston(at)gmail(dot)com>
> wrote:
> > ​Not quite following but ownership is an inheritable permission;
>
> Basically, I'm asking if "ownership" can be revoked from the set of
> inherited permissions? If there is a role G which is granted to role A, and
> G is the owner of a database, can A be made to not be able to do what only
> owners can (specifically in this case, drop databases)?

No, that's exactly what role membership means- you have the same rights
as the other role.

> > and even if it was not SET ROLE is all that would be required.​ Any owner
> > can drop an object that it owns.
>
> It's kind of the reverse: I'm wondering if ownership can be made
> un-inheritable.

No, because even if ownership wasn't inheritable the user would simply
do 'SET ROLE owner;' and then have all of the ownership rights that way.

> Just considering the case of dropping databases for now. I.e. let the
> developers do everything except that. It's a start.

I think you're assuming far too much about what being a database owner
means- I'd suggest you really think about why the developers need to be
database owners at all; in other words- what's the *other* privilege
that's currently only available to database owners that you need
developers to be able to do?

I have a hunch that it might be GRANT'ing rights on the database, but
there's only a couple such rights (eg: CONNECT) and you might be better
off managing those in another way.

Thanks!

Stephen