Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10: > CREATEROLE allows users to create new roles also having the CREATEDB > privilege (at least in version 9.6). > > We want special users to be able to CREATEROLE without being able to CREATEDB > (eg. when usermanagement is done by the application itself). > > Please prevent users with CREATEROLE to create roles having CREATEDB > (analogous SUPERUSER and REPLICATION).
I agree that would be a welcome enhancement. As a workaround, you can create a function owned by a superuser (or any other user with the "createrole" privilege) using "security definer" that provides a simple "create user" capability and makes sure that the created user does not have the createdb privilege. The user/role that should be able to create new roles doesn't need the createrole privilege at all then. All it needs is the execute privilege on the function. Thomas
