Tom Lane schrieb am 20.03.2019 um 14:59:
>>> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION).
>
>> I agree that would be a welcome enhancement.
>
> No, it wouldn't. The point of CREATEROLE is to allow user creation
> and deletion to be done by a role that's less than full superuser.
> If we changed it like that, then you'd be right back at needing
> superuser for very routine role creations. That's *not* an
> improvement, even if it somehow fit better into the OP's desired
> security model (which he hasn't explained).
I didn't take this to be a request to remove the createdb privilege in general, but a request to have finer grained
controlwhat kind of privileges the role with createrole can grant to newly created roles (or what it can do in
general).
Maybe if "createrole" was a regular privilege (like "create table"), then something like this would be possible:
create role user_admin;
grant create role to user_admin;
Thomas