Hi, On Fri, Jan 14, 2022 at 09:01:12AM +0000, Zwettler Markus (OIZ) wrote: > > We have the need to separate user (role) management from infrastructure > (database) management. > > Granting CREATEROLE to any role also allows this role to create other roles > having CREATEDB privileges and therefore also getting CREATEDB privileges. > > My use case would have been to grant CREATEROLE to any role while still > restricting "create database".
I see, that's indeed a problem. You could probably enforce that using some custom module to enforce additional rules on top of CREATE ROLE processing, but it would have to be written in C.
