On Wed, Jan 25, 2023 at 07:38:51AM -0700, David G. Johnston wrote: > On Wed, Jan 25, 2023 at 7:35 AM Bruce Momjian <br...@momjian.us> wrote: > > > So, how would someone with CREATEROLE permission add people to their own > role, without superuser permission? Are we adding any security by > preventing this? > > > > As an encouraged design choice you wouldn't. You'd create a new group and add > both yourself and the new role to it - then grant it the desired permissions. > > A CREATEROLE role should probably be a user (LOGIN) role and user roles should > not have members.
Makes sense. I was actually using that pattern, but in running some test scripts that didn't revert back to the superuser, I saw the errors and was confused. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Embrace your flaws. They make you human, rather than perfect, which you will never be.
