> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: Monday, August 22, 2005 3:18 PM
> To: Jim Nasby
> Cc: Bruno Wolff III; William ZHANG; pgsql-hackers@postgresql.org
> Subject: Re: [HACKERS] CREATE USER and pg_user
>
>
> "Jim C. Nasby" <jnasby@pervasive.com> writes:
> > On Fri, Aug 12, 2005 at 08:55:09AM -0500, Bruno Wolff III wrote:
> >> For more information take a look at the CREATE ROLE command in the
> >> developer docs.
>
> > ISTM that it's a bug to be able to assign permissions that you don't
> > yourself have. In this case, if you have CREATEROLE but not
> SUPERUSER,
> > then you should be able to create roles, but not ones that have
> > SUPERUSER status. If this isn't how it currently works then
> there should
> > be a big warning under CREATEROLE.
>
> Did you read the docs Bruno pointed you to?
>
> http://developer.postgresql.org/docs/postgres/sql-createrole.html
>
> regards, tom lane
Yes, but it doesn't really specify if you have to have a privilege in order to grant it, although reading one of the
notes[1]tends to indicate that you must have a role in order to grant it. Unless I'm overlooking some part of the docs?
[1]: "The INHERIT attribute governs inheritance of grantable privileges (that is, access privileges for database
objectsand role memberships). It does not apply to the special role attributes set by CREATE ROLE and ALTER ROLE. For
example,being a member of a role with CREATEDB privilege does not immediately grant the ability to create databases,
evenif INHERIT is set; it would be necessary to become that role via SET ROLE before creating a database."
--
Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com
Pervasive Software http://pervasive.com 512-569-9461
