Is it possible to create a login user who themselves can CREATE ROLE NOLOGIN but not CREATE ROLE LOGIN? Here’s an example of the behavior I’d like to achieve.
$ psql
postgres=> CREATE USER admin WITH PASSWORD 'mypassword' CREATEROLE;
postgres=> — revoke something?
postgres=> \q
$ psql -U admin -W
postgres=> CREATE ROLE myrole;
CREATE ROLE
postgres=> CREATE USER myuser WITH PASSWORD '1234’;
ERROR: permission denied to create role
Of course, as written the final “CREATE USER” statement succeeds in reality.
Thanks,
Alex