<Michael.Dietrich@swisscom.com> writes:
> What I've done
> CREATE ROLE superrole WITH NOLOGIN SUPERUSER ..;
> CREATE USER nosuperuser WITH LOGIN NOSUPERUSER INHERIT ..;
> GRANT superrole TO nosuperuser WITH ADMIN OPTION;
> REVOKE CONNECT ON DATABASE nonpublicdb FROM public ;
> psql -d postgres -U nosupuser
> postgres=# set role superrole;
> postgres=# \c nonpublicdb
> FATAL: permission denied for database " nonpublicdb "
> DETAIL: User does not have CONNECT privilege.
> I expect that the connection to the database is allowed since a role
> with superuser is used.
You're misunderstanding what psql's \c command does. In this form,
it attempts a connection with the new database name, but the same
username as the previous connection, ie nosupuser. It doesn't know
anything about SET ROLE commands you may have issued to the server
while connected.
regards, tom lane