Re: Additional role attributes && superuser review

* Simon Riggs (simon@2ndQuadrant.com) wrote:
> On 3 November 2014 at 17:08, Stephen Frost <sfrost@snowman.net> wrote:
> > role attributes don't act like
> > GRANTs anyway (there's no ADMIN option and they aren't inheirited).
>
> I'm happy with us *not* doing this using GRANTs, as long as we spend
> some love on the docs to show there is a very clear distinction
> between the two.

The distinction already exists.  I agree that the documentation should
be improved to clarify how GRANT'd privileges are different from role
attributes (which is what our existing superuser, createrole, etc
options are).

> Users get confused between privs, role attributes and SETs that apply to roles.

Agreed.

> Introducing the new word "capability" needs to also have some clarity.
> Is that the same thing as "role attribute", or is that a 4th kind of
> thang?

At present, it's exactly the same as 'role attribute' and, for my part
at least, I was thinking it would remain the same.  I believe the idea
was to migrate the terminology from 'role attribute' to 'capability' as
the latter better represents both the existing options and the new ones.
Thanks!
    Stephen