I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not
inherited indirectly; that is it must be granted directly to you.
This seems wrong; SQL99 has under <privileges>
19) B has the WITH ADMIN OPTION on a role if a role authorization descriptor identifies the role as
grantedto B WITH ADMIN OPTION or a role authorization descriptor identifies it as granted WITH
ADMINOPTION to another applicable role for B.
and in the Access Rules for <grant role statement>
1) Every role identified by <role granted> shall be contained in the applicable roles for A and the
correspondingrole authorization descriptors shall specify WITH ADMIN OPTION.
I can't see any support in the spec for the idea that WITH ADMIN OPTION
doesn't flow through role memberships in the same way as ordinary
membership; can you quote someplace that implies this?
regards, tom lane