On Tue, Jan 2, 2024 at 9:21 AM Dominique Devienne <ddevie...@gmail.com> wrote:
> On Tue, Jan 2, 2024 at 5:11 PM David G. Johnston < > david.g.johns...@gmail.com> wrote: > >> On Tue, Jan 2, 2024 at 8:25 AM Dominique Devienne <ddevie...@gmail.com> >> wrote: >> >>> pg_has_role() from >>> https://www.postgresql.org/docs/current/functions-info.html >>> added the 'SET' privilege in v16, and on top of the existing 'MEMBER' >>> and 'USAGE' ones: >>> >> > >> Membership no longer does anything by itself. >> > > OK! That's news to me, I must go back to the v16 (?) release notes and > learn more about this. > > >> Both inherit and set capabilities are now individually controlled >> permissions related to membership. >> > > Hmmm, what drove this change? (I guess I'm getting back to the rationale > from earlier). > The previous model was not granular enough? > And the new one is as granular as it gets? > Essentially yes. Inherit used to be a property of a role and not a specific membership which was deemed undesirable. We were fixing up the broken CREATEROLE attribute and felt these improvements were needed as well. Once inherit became optional per-membership it made sense to treat set the same way. David J.
