Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers)

> On Oct 29, 2021, at 4:46 PM, Jeff Davis <pgsql(at)j-davis(dot)com> wrote:
>
> But I don't think the concept of role ownership has zero potential
> confusion, either. For instance, I could certainly imagine a user A
> creating a role B (and therefore owning it), and then doing "GRANT A TO
> B". Is there a reason to do that, or is the user confused about what
> membership versus ownership mean?

In general, I think that would be the result of the user being confused. But it is hard to say that definitively, because perhaps users A and C want to create a single user B with the union of both their roles, and have agreed to perform:

user_a% CREATE ROLE B;
user_a% GRANT A TO B;
user_c% GRANT C TO B;

The easiest way of thinking about role ownership is that a role's owner is superuser in so far as that role is concerned. It can drop them, modify them, take their objects away from them, assign other objects to them, etc. Anything a superuser could do to impoverish them, their owner can do to impoverish them. The difference is that an actual superuser can enrich them with anything the superuser likes, whereas their owner can only enrich them with objects and privileges that the owner itself has rights to assign.

—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company