| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David Legault" <legault(dot)david(at)gmail(dot)com> |
| Cc: | alvherre(at)commandprompt(dot)com, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: ROLE INHERIT |
| Date: | 2007-02-16 00:48:23 |
| Message-ID: | 5343.1171586903@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"David Legault" <legault(dot)david(at)gmail(dot)com> writes:
> I thought it would transfer that CREATEROLE privilege too.
This is documented someplace ... ah, under CREATE ROLE:
: The INHERIT attribute governs inheritance of grantable privileges (that
: is, access privileges for database objects and role memberships). It
: does not apply to the special role attributes set by CREATE ROLE and
: ALTER ROLE. For example, being a member of a role with CREATEDB
: privilege does not immediately grant the ability to create databases,
: even if INHERIT is set; it would be necessary to become that role via
: SET ROLE before creating a database.
The main reason we did that is that SUPERUSER seemed a bit too dangerous
to be an inheritable privilege. You could argue the other role
attribute bits either way, but for simplicity they all act the same.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2007-02-16 01:21:28 | Re: Where art thou pg_clog? |
| Previous Message | Casey Duncan | 2007-02-16 00:38:56 | Re: Where art thou pg_clog? |