>
> Hi,
>
> On Wed, Jan 12, 2022 at 11:57:45AM +0000, Zwettler Markus (OIZ) wrote:
> >
> > PG event triggers are not firing on CREATE ROLE, CREATE DATABASE,
> > CREATE TABLESPACE by definition (would be nice if they do).
> >
> > Is there any workaround to react with ddl_command_start behavior on
> > such an event?
>
> That's not possible. The limitation exists because those objects are shared objects
> and therefore could be created from any database in the cluster.
>
> What is your use case? Maybe you could rely on logging all DDL instead for
> instance.
>
We have the need to separate user (role) management from infrastructure (database) management.
Granting CREATEROLE to any role also allows this role to create other roles having CREATEDB privileges and therefore
alsogetting CREATEDB privileges.
My use case would have been to grant CREATEROLE to any role while still restricting "create database".