> On Oct 29, 2021, at 4:46 PM, Jeff Davis <pg...@j-davis.com> wrote:
>
> But I don't think the concept of role ownership has zero potential
> confusion, either. For instance, I could certainly imagine a user A
> creating a role B (and therefore owning it), and then doing "GRANT A TO
> B". Is there a reason to do that, or is the user confused about what
> membership versus ownership mean?
In general, I think that would be the result of the user being confused. But
it is hard to say that definitively, because perhaps users A and C want to
create a single user B with the union of both their roles, and have agreed to
perform:
user_a% CREATE ROLE B;
user_a% GRANT A TO B;
user_c% GRANT C TO B;
The easiest way of thinking about role ownership is that a role's owner is
superuser in so far as that role is concerned. It can drop them, modify them,
take their objects away from them, assign other objects to them, etc. Anything
a superuser could do to impoverish them, their owner can do to impoverish them.
The difference is that an actual superuser can enrich them with anything the
superuser likes, whereas their owner can only enrich them with objects and
privileges that the owner itself has rights to assign.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
