Re: Postgres Enhancement Request

Tom Lane schrieb am 20.03.2019 um 14:59:
>>> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION).
> 
>> I agree that would be a welcome enhancement. 
> 
> No, it wouldn't.  The point of CREATEROLE is to allow user creation
> and deletion to be done by a role that's less than full superuser.
> If we changed it like that, then you'd be right back at needing
> superuser for very routine role creations.  That's *not* an
> improvement, even if it somehow fit better into the OP's desired
> security model (which he hasn't explained).

I didn't take this to be a request to remove the createdb privilege in general, but a request to have finer grained
controlwhat kind of privileges the role with createrole can grant to newly created roles (or what it can do in
general).

Maybe if "createrole" was a regular privilege (like "create table"), then something like this would be possible:

    create role user_admin;
    grant create role to user_admin;

Thomas