> On Oct 5, 2021, at 9:23 AM, Robert Haas <robertmhaas@gmail.com> wrote:
>
>> - Disallow roles from being able to REVOKE role membership that they
>> didn't GRANT in the first place.
>
> I think that's not quite the right test. For example, if alice and bob
> are superusers and alice grants pg_monitor to doug, bob should be able
> to revoke that grant even though he is not alice.
Additionally, role "alice" might not exist anymore, which would leave the privilege irrevocable. It's helpful to think
interms of role ownership rather than role creation:
superuser
+---> alice
+---> charlie
+---> diane
+---> bob
It makes sense that alice can take ownership of diane and drop charlie, but not that bob can do so. Nor should charlie
beable to transfer ownership of diane to alice. Nor should charlie be able to drop himself.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company