On Fri, Jun 24, 2022 at 1:19 PM Robert Haas <robertmh...@gmail.com> wrote:
> On Mon, Jun 6, 2022 at 7:41 PM Stephen Frost <sfr...@snowman.net> wrote: > > > > In terms of how that's then used, yeah, it's during REVOKE because a > > REVOKE is only able to 'find' role authorization descriptors which match > > the triple of role revoked, grantee, grantor (though there's a caveat in > > that the 'grantor' role could be the current role, or the current user). > > What is supposed to happen if someone tries to execute DROP ROLE on a > role that has previously been used as a grantor? > > Upthread, I proposed that "drop role baz" should fail here > I concur with this. I think that the grantor owns the grant, and that REASSIGNED OWNED should be able to move those grants to someone else. By extension, DROP OWNED should remove them. David J.
