On Mon, 2022-09-26 at 15:40 -0400, Stephen Frost wrote: > Predefined roles are special in that they should GRANT just the > privileges that the role is described to GRANT and that users really > shouldn't be able to SET ROLE to them nor should they be allowed to > own > objects, or at least that's my general feeling on them.
What about granting privileges to others? I don't think that makes sense for a predefined role, either, because then they'd own a bunch of grants, which is as awkward as owning objects. > If an administrator doesn't wish for a user to have the privileges > provided by the predefined role by default, they should be able to > set > that up by creating another role who has that privilege which the > user > is able to SET ROLE to. And that other role could be used for grants, if needed, too. But I don't think we need to special-case predefined roles though. I think a lot of administrators would like to declare some roles that are just a collection of inheritable privileges. -- Jeff Davis PostgreSQL Contributor Team - AWS
