Thread: CREATEROLE Inheritance
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/15/role-membership.html Description: Regarding this paragraph: "The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute. Continuing the above example, we might choose to grant CREATEDB and CREATEROLE to the admin role. Then a session connecting as role joe would not have these privileges immediately, only after doing SET ROLE admin." I have checked this for CREATEROLE and this role attribute is definitely inheritable. I've created a new user with CREATE ROLE and no additional options. I've tried to create a role and could not. Then I made this user a member of a role that have the CREATEROLE attribute set to TRUE (with GRANT user_with_createrole TO new_user). With the same new user I could now create new roles. This has to mean inheritance works for this attribute. I am using DataGrip IDE and made sure in the output window that the program does not issue a 'SET ROLE' command before attempting to create a role. So creating a new role worked with the new user (by inheritance) without using 'SET ROLE' before.
PG Doc comments form <noreply@postgresql.org> writes: > I have checked this for CREATEROLE and this role attribute is definitely > inheritable. Does not look like that to me: regression=# create user alice createrole; CREATE ROLE regression=# create user bob; CREATE ROLE regression=# \c - alice You are now connected to database "regression" as user "alice". regression=> create user charlie; -- should succeed CREATE ROLE regression=> \c - bob You are now connected to database "regression" as user "bob". regression=> create user delta; -- should fail ERROR: permission denied to create role DETAIL: Only roles with the CREATEROLE attribute may create roles. regression=> \c - postgres You are now connected to database "regression" as user "postgres". regression=# grant alice to bob; GRANT ROLE regression=# \c - bob You are now connected to database "regression" as user "bob". regression=> create user delta; -- still fails ERROR: permission denied to create role DETAIL: Only roles with the CREATEROLE attribute may create roles. regression=> set role alice; SET regression=> create user delta; -- now it works CREATE ROLE (Those DETAIL messages are fairly new, but the behavior is the same in older branches.) The point is precisely that bob can't make use of alice's CREATEROLE bit without having done SET ROLE. It's not too clear to me what you did that led you to conclude otherwise, but going through additional layers like an IDE could well be confusing matters. regards, tom lane