diff -cr cvs/pgsql/doc/src/sgml/ref/create_role.sgml cvs.doc/pgsql/doc/src/sgml/ref/create_role.sgml
*** cvs/pgsql/doc/src/sgml/ref/create_role.sgml	2005-11-20 13:42:46.000000000 +0100
--- cvs.doc/pgsql/doc/src/sgml/ref/create_role.sgml	2005-12-09 11:52:24.000000000 +0100
***************
*** 345,350 ****
--- 345,363 ----
    </para>
  
    <para>
+    Be careful with the <literal>CREATEROLE</> privilege. There is no concept of
+    inheritance for the privileges of a <literal>CREATEROLE</>-role. That
+    means that even if a role does not have a certain privilege but is allowed
+    to create other roles, it can easily create another role with different
+    privileges than its own (except for creating roles with superuser
+    privileges). For example, if the role <quote>user</> has the
+    <literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege,
+    nonetheless it can create a new role with the <literal>CREATEDB</>
+    privilege. Therefore, regard roles that have the <literal>CREATEROLE</>
+    privilege as almost-superuser-roles.
+   </para>
+ 
+   <para>
     <productname>PostgreSQL</productname> includes a program <xref
     linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has
     the same functionality as <command>CREATE ROLE</command> (in fact,