* Simon Riggs ([email protected]) wrote: > On 3 November 2014 at 17:08, Stephen Frost <[email protected]> wrote: > > role attributes don't act like > > GRANTs anyway (there's no ADMIN option and they aren't inheirited). > > I'm happy with us *not* doing this using GRANTs, as long as we spend > some love on the docs to show there is a very clear distinction > between the two.
The distinction already exists. I agree that the documentation should
be improved to clarify how GRANT'd privileges are different from role
attributes (which is what our existing superuser, createrole, etc
options are).
> Users get confused between privs, role attributes and SETs that apply to
> roles.
Agreed.
> Introducing the new word "capability" needs to also have some clarity.
> Is that the same thing as "role attribute", or is that a 4th kind of
> thang?
At present, it's exactly the same as 'role attribute' and, for my part
at least, I was thinking it would remain the same. I believe the idea
was to migrate the terminology from 'role attribute' to 'capability' as
the latter better represents both the existing options and the new ones.
Thanks!
Stephen
signature.asc
Description: Digital signature
