Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Stupid question, but how do roles relate to our existing "groups"?
As committed, roles subsume both users and groups: a role that permits
login (rolcanlogin) acts as a user, and a role that has members is a
group. It is possible for the same role to do both things, though I'm
not sure that it's good security policy to set up a role that way.
The advantage over what we had is exactly that there isn't any
distinction, and thus groups can do everything users can and
vice versa:* groups can own objects* groups can contain other groups (we forbid loops though)
Also there is a notion of "admin option" for groups, which is like
"grant option" for privileges: you can designate certain members of
a group as being able to grant ownership in that group to others,
without having to make them superusers.
regards, tom lane