Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1upNJw-003vNC-Ap
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Aug 2025 08:40:25 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1upNJv-0047UI-Iw
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Aug 2025 08:40:24 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1upNJv-0047UA-72
	for pgsql-general@lists.postgresql.org; Fri, 22 Aug 2025 08:40:23 +0000
Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1upNJt-001F86-1D
	for pgsql-general@lists.postgresql.org;
	Fri, 22 Aug 2025 08:40:23 +0000
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-45a20c51c40so15163855e9.3
        for <pgsql-general@lists.postgresql.org>; Fri, 22 Aug 2025 01:40:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=google; t=1755852020; x=1756456820; darn=lists.postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WEe9YN+lSERgQGJtt6L3OXkexXTp9f2agE1U9DcbxSk=;
        b=GwZDVtt8pVYXY0BHdCZBNm/5sq4MIt/N/egmgwiZTmvU177dKEhT8OdwPfY2+NBAdR
         ZnbS+Mw2fVAxaUSS8UIlmwxJX4Z70lnbslXNPRxMHs/IMSyk/wE3amCG7RtUXbpSvG7a
         GXNbadRaDaPoRevl3Z9mPx3L/Kek6I2Ti5xdzt57r/T7XJX0+uyJnOtPywXNJ5GZekg8
         2Q3rwXQaTF8xsU6AvkEv5idKCOR70wwylxrL78IBDwk11HUA1+AjfX9iKjZ+mnqdRpby
         fYiYQ2gnUDQtg/suu96uUhji9NzWtKNApATsNjBrA/Pqpxpjx14e46oTRjQWI85mtZRd
         Wj7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1755852020; x=1756456820;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=WEe9YN+lSERgQGJtt6L3OXkexXTp9f2agE1U9DcbxSk=;
        b=HIwQ+oBReABq7DfNB++A19d1VMwHNdXYBTAivS/qlu+6AWOEEMm2Ty94mNUPbgqLs8
         8gBZ3xCAMGkIDTPPTMxi0MoJIXIFGPrl1SboMUlfmgc6qyRWx3vXjcS/9egaUTlbOXR3
         E+j4aTYR3SVMo1BR03oaySL5WxkYunjg5s60eAof55uLnROalE9HxgonYm7/WlLdGdEG
         8rbeem/ZqJHrP4xBNYPxU6FwTBLMWwBlwI78nvwLNv/NU+Ma/B9yV1hz0NHNnPppcHfi
         8lIgdLVOWTdJAWPa2nVBnHwI9qGbiBtMhwkatbjtZcsbDnG7N8MyHIgCN1hi2wiRiJiT
         i67w==
X-Forwarded-Encrypted: i=1; AJvYcCUjb9c6CDX3OOKsCGleHWKYVoW2LtxS7T8MMgTOIYLQ17Gmk5PyY7Mx6rCDoNQuraPuLYW99MGNO15ObRI/@lists.postgresql.org
X-Gm-Message-State: AOJu0YzsQbuA/FpGq2KxXL3xFQczvBcg0DcenNxPPrFWdFZZ1qp1eKM5
	Ih2TRZyoFy+6iSj8IkQ4K/PWu+F5UCJkmWdlU30lvVAMs8+nHl5vyofeDMSe8gI6TnY=
X-Gm-Gg: ASbGncuhTJqnFJu8fFyUzQH3ITe1aAZU37ul3TOASkgKtMbCidvRriVD9qu5wAQTO2t
	s/tjZJAj63Ea9T3HRblEFG8X9nrXO/Svjy3oLiNLAAq23kwnXkl9fwMxGAlylMsXSGM/5nIbTJG
	zixMgkejMllCn/mwNGa+S8LFy545/XhjFOuc6KTyDtJ0kGOdMapOm5HmCEmJZ3387hqMXBdgxOK
	pPEWVWz9JTTz86T0bb2vO4EpAqcw/sAeVAuO+0Q/DDGvSsRgG0+Tr4MxKcY3/I9p/vQSgZZFZD6
	4PkF/Y53wUvQXkrkSOtTriEnexIUpmd6XCoi+A8hX85SFSIrsaeEj64NwV4pgfY9Y9WVp+UH5QM
	uhl+behsJDI8MfsypLfveuy9L7wO1kD0zOO7I5x7NuLQ+a+nw5gPgdWf+VxxroHgKr/zyyVbbKA
	==
X-Google-Smtp-Source: AGHT+IFNC/kA4gRw7BrYJfDdcFsVA71dsTANoeylqwiy0n85xli6lJDfwaEAEKbMCYS/WAhbYsl1/w==
X-Received: by 2002:a05:600c:1f0d:b0:459:e200:67e0 with SMTP id 5b1f17b1804b1-45b5179e7ffmr16730615e9.10.1755852019905;
        Fri, 22 Aug 2025 01:40:19 -0700 (PDT)
Received: from laurenz.albe-K4N0CV00F97414D ([2001:871:260:80a1:2aee:4573:b37b:fb9d])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3c5393b797csm4330915f8f.39.2025.08.22.01.40.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 22 Aug 2025 01:40:17 -0700 (PDT)
Message-ID: <03be331512b0a52423b86e70018b39b5d2966f52.camel@cybertec.at>
Subject: Re: Q: GRANT ... WITH ADMIN on PG 17
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Karsten Hilbert <Karsten.Hilbert@gmx.net>, 
	pgsql-general@lists.postgresql.org
Date: Fri, 22 Aug 2025 10:40:16 +0200
In-Reply-To: <aKc855Ez-iHiJ6ww@hermes.hilbert.loc>
References: <aKc855Ez-iHiJ6ww@hermes.hilbert.loc>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) 
MIME-Version: 1.0
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/03be331512b0a52423b86e70018b39b5d2966f52.camel%40cybertec.at>
Precedence: bulk

On Thu, 2025-08-21 at 17:36 +0200, Karsten Hilbert wrote:
> PG 17 documentation says that using "WITH ADMIN" allows the
> role being added to another group role to grant/revoke
> membership in said group to other roles.
>=20
> Does this imply that an ADMIN role _must_ itself be a member
> of the group role it is to maintain membership of ?
>=20
> The question arises from a scenario where a DBA role would
> not need to be a member of a clinical group role but would
> be intended to maintain membership of clinical user roles
> within that group role.
>=20
> =C2=A0From a security point of view the question might be moot
> because an ADMIN role could always grant itself membership
> in the group role -- but it feels wrong for reasons of
> theoretical "correctness".
>=20
> IOW:
>=20
> - gm-dbo: user role for a DBA admin (not! superuser)
> - gm-bones: user role for a LLAP doctor
> - gm-doctors: group role for doctors, upon which are resting
> =C2=A0 access permissions for clinical data
> - gm-bones is to be a member of gm-doctors in order to access clinical da=
ta
> - gm-dbo is intended to manage membership of gm-bones in gm-doctors
> - however, gm-dbo need not itself be a member of gm-doctors
>=20
> Is that possible within the current (as of PG 17) framework ?

Yes, that should work as follows:

  test=3D# CREATE ROLE "gm-dbo" LOGIN;
  CREATE ROLE
  test=3D# CREATE ROLE "gm-bones";
  CREATE ROLE
  test=3D# CREATE ROLE "gm-doctors";
  CREATE ROLE
  test=3D# GRANT "gm-doctors" to "gm-dbo" WITH ADMIN TRUE, INHERIT FALSE, S=
ET FALSE;
  GRANT ROLE
  test=3D# SET SESSION AUTHORIZATION "gm-dbo";
  SET
  test=3D> GRANT "gm-doctors" TO "gm-bones";
  GRANT ROLE
  test=3D> SET ROLE "gm-doctors";
  ERROR:  permission denied to set role "gm-doctors"

"gm-dbo" can manage membership in "gm-doctors" (ADMIN TRUE), but does not i=
nherit
the role's privileges, nor can "gm-dbo" assume the identity of "gm-doctors"=
.

Yours,
Laurenz Albe