Hi, I wonder if the following behavior is intentional or not:
template1=# create role r1 nocreatedb createrole;
CREATE ROLE
template1=# set role r1;
SET
template1=> create role r2 createdb;
CREATE ROLE
template1=> set role r2;
SET
template1=> create database d1;
CREATE DATABASE
So in effect, if you grant the CREATEROLE privilege, you automatically grant
CREATEDB as well... I haven't found a clear statement about that in the
documentation, but if it is intentional, the description of the CREATEROLE
privilege should contain a note about that.
One (or I at least) would have suspected that a role can only create other
roles with privileges it has been granted itself..
Joachim