Thomas Kellerer <spam_ea...@gmx.net> writes:
> Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10:
>> Please prevent users with CREATEROLE to create roles having CREATEDB
>> (analogous SUPERUSER and REPLICATION).
> I agree that would be a welcome enhancement.
No, it wouldn't. The point of CREATEROLE is to allow user creation
and deletion to be done by a role that's less than full superuser.
If we changed it like that, then you'd be right back at needing
superuser for very routine role creations. That's *not* an
improvement, even if it somehow fit better into the OP's desired
security model (which he hasn't explained).
regards, tom lane
