"David Legault" <legault.david@gmail.com> writes:
> I thought it would transfer that CREATEROLE privilege too.
This is documented someplace ... ah, under CREATE ROLE:
: The INHERIT attribute governs inheritance of grantable privileges (that
: is, access privileges for database objects and role memberships). It
: does not apply to the special role attributes set by CREATE ROLE and
: ALTER ROLE. For example, being a member of a role with CREATEDB
: privilege does not immediately grant the ability to create databases,
: even if INHERIT is set; it would be necessary to become that role via
: SET ROLE before creating a database.
The main reason we did that is that SUPERUSER seemed a bit too dangerous
to be an inheritable privilege. You could argue the other role
attribute bits either way, but for simplicity they all act the same.
regards, tom lane
