> On Oct 29, 2021, at 4:46 PM, Jeff Davis <pgsql@j-davis.com> wrote:
>
> But I don't think the concept of role ownership has zero potential
> confusion, either. For instance, I could certainly imagine a user A
> creating a role B (and therefore owning it), and then doing "GRANT A TO
> B". Is there a reason to do that, or is the user confused about what
> membership versus ownership mean?
In general, I think that would be the result of the user being confused. But it is hard to say that definitively,
becauseperhaps users A and C want to create a single user B with the union of both their roles, and have agreed to
perform:
user_a% CREATE ROLE B;
user_a% GRANT A TO B;
user_c% GRANT C TO B;
The easiest way of thinking about role ownership is that a role's owner is superuser in so far as that role is
concerned. It can drop them, modify them, take their objects away from them, assign other objects to them, etc.
Anythinga superuser could do to impoverish them, their owner can do to impoverish them. The difference is that an
actualsuperuser can enrich them with anything the superuser likes, whereas their owner can only enrich them with
objectsand privileges that the owner itself has rights to assign.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company