On Thu, Jan 23, 2025 at 4:02 PM Robert Haas <robertmh...@gmail.com> wrote: > On Wed, Jan 22, 2025 at 6:08 AM Ashutosh Sharma <ashu.coe...@gmail.com> wrote: > > Thanks for sharing your thoughts and inputs. I'm also not quite clear > > about the fix. Some of the solutions/changes you've mentioned above > > seem quite complex and may not be reasonable, as you pointed out. How > > about introducing a new predefined role, perhaps something like > > pg_admin_all, which, when granted to an admin user in the system, > > would allow them to manage all non-superusers on the server? > > IMHO, this is a hack. Let's suppose the superuser creates roles A and > X with CREATEROLE. A creates B, who creates C. X creates Y, who > creates Z. Now A drops B. We want A to retain the ability to > administer C, but we do not want X to suddenly acquire the ability to > administer C. If A and C both had pg_admin_all, that's what would > happen.
Sorry, correction: if A and X both had pg_admin_all, that's what would happen. -- Robert Haas EDB: http://www.enterprisedb.com
