Re: ROLE INHERIT

The docs should probably be more clear about this because you can do:

GRANT *role* [, ...] TO *username* [, ...] [ WITH ADMIN OPTION ]

GRANT on Roles

This variant of the GRANT command grants membership in a role to one or more
other roles. Membership in a role is significant because it conveys the
privileges granted to a role to each of its members.
GRANT administrator TO admin;

I thought it would transfer that CREATEROLE privilege too.

Thanks

David

On 2/15/07, Alvaro Herrera <alvherre(at)commandprompt(dot)com> wrote:
>
> David Legault escribió:
> > Hello,
> >
> > I'm a bit new to Postgre, and I'm experimenting with the roles stuff.
> >
> > I want to know why If I create a role called "administrator" (a group
> > basically, no login) :
> >
> > CREATE ROLE administrator NOSUPERUSER INHERIT NOCREATEDB CREATEROLE;
> >
> > And then create a user
> >
> > CREATE ROLE admin LOGIN PASSWORD 'password' ON ROLE administrator;
> >
> > admin doesn't have the CREATEROLE privilege himself, but because he is
> part
> > of a group that has it, why doesn't this fall back on him having it?
> >
> > When I try to use that admin user to create another role, it says
> > insufficient privileges.
> >
> > Am I missing something in this role stuff ?
>
> A single point, which is that while the privileges that are inherited
> are those that you can GRANT and REVOKE with the respective commands.
> CREATEROLE and the others are not inherited.
>
> Also, keep in mind that while role "admin" does not have CREATEDB
> privilege, if you grant it the CREATEROLE privilege it will easily be
> able to create a database by creating another role with CREATEDB
> privilege. So don't grant CREATEROLE to just anyone.
>
> FYI, the short name of PostgreSQL is "Postgres", not Postgre.
>
> --
> Alvaro Herrera
> http://www.CommandPrompt.com/
> PostgreSQL Replication, Consulting, Custom Development, 24x7 support
>