Re: [Extern] Re: postgres event trigger workaround

Hi,

On Fri, Jan 14, 2022 at 09:01:12AM +0000, Zwettler Markus (OIZ) wrote:
> 
> We have the need to separate user (role) management from infrastructure (database) management.
> 
> Granting CREATEROLE to any role also allows this role to create other roles having CREATEDB privileges and therefore
alsogetting CREATEDB privileges.
 
> 
> My use case would have been to grant CREATEROLE to any role while still restricting "create database".

I see, that's indeed a problem.  You could probably enforce that using some
custom module to enforce additional rules on top of CREATE ROLE processing, but
it would have to be written in C.