Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1up9Jc-00HVqI-Ck
	for pgsql-general@arkaria.postgresql.org; Thu, 21 Aug 2025 17:43:09 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1up9Jb-000ZnQ-MG
	for pgsql-general@arkaria.postgresql.org; Thu, 21 Aug 2025 17:43:08 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1up9Ja-000ZnH-IN
	for pgsql-general@lists.postgresql.org; Thu, 21 Aug 2025 17:43:07 +0000
Received: from fout-b2-smtp.messagingengine.com ([202.12.124.145])
	by makus.postgresql.org with smtp (Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1up9JY-0013Uq-18
	for pgsql-general@lists.postgresql.org;
	Thu, 21 Aug 2025 17:43:06 +0000
Received: from phl-compute-11.internal (phl-compute-11.internal [10.202.2.51])
	by mailfout.stl.internal (Postfix) with ESMTP id B15A81D00168;
	Thu, 21 Aug 2025 13:43:03 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-11.internal (MEProxy); Thu, 21 Aug 2025 13:43:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1755798183;
	 x=1755884583; bh=MQiBcxgIMadgYhzBeKNYAhyjQ67BSBSBWnEiW/mJM7k=; b=
	sra3nzCCIdLm4x0ENpBeKHaBcbia8QSNEmfI+BYcAb7fEoMgapLLvJPfUmWeKQ8f
	NtakxALcK88De9TY9HaJf8XXaaUxXMo7PBsMQ9+q441o5eVjAx6/a72/VmqIiBrK
	4Gv3M3RfhCgsPz1ZkL7BiHuxpQmmzqMPO5GgXFzuS0Y9uQGl7zJfXD89IOQRigeX
	XaQRykNymNO3JJkKcJsKOcCyk8sW4nnWZh8ZwVlKLDBg6U6QSISnq7Or+8d+4pcT
	k9AxGQ7Z961Xg7SpIhf7dGEWc2cuTAHBJnLmB6fNuAsuj+PJ8Sv12FaSsNcEPeEo
	wSh8d7VZrKCTt4BFWMWEbQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1755798183; x=
	1755884583; bh=MQiBcxgIMadgYhzBeKNYAhyjQ67BSBSBWnEiW/mJM7k=; b=J
	rVnVpSI5lrMcDtoQGi9gK5fK6wlIZhhzjwGWiYM00dJmOuhU1MP4tF12OURQT6tg
	5HBVq9cUHDpUc5HrjgoRIdf7j25akZX3RUmK5PHeiFtsaESGCfJsfzR+uSHxUP9X
	ltYEajsK6+ozeswqcLASlMxJV8eHKMxm4k6I0OkXZMBWNSty3Qq6vjIWZ6gt4zXe
	qe57ug9TojD4IMkiX4hCco7oZQqfvWN6pvkmHm3tS6V3WDwd6nGSiT6skDbMJl3m
	B7OaLK1RdY9tjL+ucZe7JH1mhB76GebD6FmQjq6P8SqU1Ne4AssZeE9P1ob6MGbZ
	iVY7nWtVz+PmW27NU1E4A==
X-ME-Sender: <xms:p1qnaLv-iHUETfmiLk-fDuZwv378EovXpBQ6tHPx8eveznflpa5KEA>
    <xme:p1qnaPt_ElOZB6KprUhta-C1VjvMBPpMkaV3KicS21-vGYIPEo7TwBvd0cNDRJ0ip
    uyGCNJGh694AlI>
X-ME-Received: <xmr:p1qnaIODCoygjJa8oM4UiT8SVhsLzbRazBCBB4xaVFNJQ4AckVDoz0JuXkXZXTqHPU4WCA4L6cjMM_Ll9m2AONtkgJhxiw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduiedukeeiucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnegouf
    hushhpvggtthffohhmrghinhculdegledmnecujfgurhepkfffgggfuffvvehfhfgjtgfg
    sehtkeertddtvdejnecuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirg
    hnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhephedu
    vdfhieduudffjedvleduhfeigfdvtdelkeejgfeigeeufedtveekueehvdfgnecuffhomh
    grihhnpegslhhoghhsphhothdrtghomhdpphhoshhtghhrvghsqhhlrdhorhhgnecuvehl
    uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrd
    hklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepfedpmhhouggv
    pehsmhhtphhouhhtpdhrtghpthhtohepugguvghvihgvnhhnvgesghhmrghilhdrtghomh
    dprhgtphhtthhopehkrghrshhtvghnrdhhihhlsggvrhhtsehgmhigrdhnvghtpdhrtghp
    thhtohepphhgshhqlhdqghgvnhgvrhgrlheslhhishhtshdrphhoshhtghhrvghsqhhlrd
    horhhg
X-ME-Proxy: <xmx:p1qnaF0sx1PI8muW6aTijhXKHRxd74XH-c4a_nzqSKwElG7DgZ-cNg>
    <xmx:p1qnaMPy9jM_y-oto8lNhbcwmyArvAVRBhEG10rGAeo3u8F1StPL1A>
    <xmx:p1qnaN2Y11E-MGlXPsaEc1jvZVcKT5W0pAzc0jkb9HbAODAlG3vxHQ>
    <xmx:p1qnaLFkDYEYdY3G0X-HeB7d8ML7nhHMTMnLQ0jJesbifViusUchXQ>
    <xmx:p1qnaJRVHiX3iAUYb9Kl-9qPsuEQMvCPKFQ4LL4GdJikvG60NmX4oT2k>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 21 Aug 2025 13:43:02 -0400 (EDT)
Message-ID: <41f55cd4-9e30-404d-b360-2f1ffeee1126@aklaver.com>
Date: Thu, 21 Aug 2025 10:43:02 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Q: GRANT ... WITH ADMIN on PG 17
To: Dominique Devienne <ddevienne@gmail.com>,
 Karsten Hilbert <Karsten.Hilbert@gmx.net>
Cc: pgsql-general@lists.postgresql.org
References: <aKc855Ez-iHiJ6ww@hermes.hilbert.loc>
 <3662a9b9-3e58-4977-8bd1-e1ed0e25b2a8@aklaver.com>
 <aKdCfim8i_TNw16S@hermes.hilbert.loc>
 <CAFCRh-8O-zBaruts-9jpQXsZr5sGo46UNdW+tftoVVzBxkzxEQ@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAFCRh-8O-zBaruts-9jpQXsZr5sGo46UNdW+tftoVVzBxkzxEQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/41f55cd4-9e30-404d-b360-2f1ffeee1126%40aklaver.com>
Precedence: bulk

On 8/21/25 09:29, Dominique Devienne wrote:
> On Thu, Aug 21, 2025 at 6:00 PM Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote:
>> Am Thu, Aug 21, 2025 at 08:46:00AM -0700 schrieb Adrian Klaver:
>>> https://rhaas.blogspot.com/2023/01/surviving-without-superuser-coming-to.html
>>
>> Thanks, I did, but did not find the answer to: Is there a
>> way for a role that can manage membership in a group role to
>> not itself be a member of that group role ?
> 
> Yes and no. Depends what you mean by MEMBER...

> Read the docs for pg_auth_members. pg_has_role(). create role.
> If you have CREATEROLE, and do a CREATE ROLE foo, you'll
> have ADMIN on foo, but not SET or INHERIT (but you can grant them to yourself).

That is a matter of choice as described here:

https://www.postgresql.org/docs/current/runtime-config-client.html

createrole_self_grant (string)

     If a user who has CREATEROLE but not SUPERUSER creates a role, and 
if this is set to a non-empty value, the newly-created role will be 
granted to the creating user with the options specified. The value must 
be set, inherit, or a comma-separated list of these. The default value 
is an empty string, which disables the feature.

     The purpose of this option is to allow a CREATEROLE user who is not 
a superuser to automatically inherit, or automatically gain the ability 
to SET ROLE to, any created users. Since a CREATEROLE user is always 
implicitly granted ADMIN OPTION on created roles, that user could always 
execute a GRANT statement that would achieve the same effect as this 
setting. However, it can be convenient for usability reasons if the 
grant happens automatically. A superuser automatically inherits the 
privileges of every role and can always SET ROLE to any role, and this 
setting can be used to produce a similar behavior for CREATEROLE users 
for users which they create.



> Also look at pg_auth_members.grantor::regrole::text and you'll see that the
> postgres SUPERUSER itself gave you that ADMIN grant. But if you grant yourself
> the role, it's a separate pg_auth_members row, and you're now the grantor.
> 
> So I didn't spend time studying your specific use case. That's your job :).
> But given my painful experience of the past year, I'd answer yes to your
> question, on logical grounds. If you see what I mean. --DD


-- 
Adrian Klaver
adrian.klaver@aklaver.com