Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1up7Ks-00GxMW-5O for pgsql-general@arkaria.postgresql.org; Thu, 21 Aug 2025 15:36:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1up7Kq-00H49b-Mg for pgsql-general@arkaria.postgresql.org; Thu, 21 Aug 2025 15:36:17 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1up7Kq-00H46Z-5g for pgsql-general@lists.postgresql.org; Thu, 21 Aug 2025 15:36:16 +0000 Received: from mout.gmx.net ([212.227.15.15]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1up7Kl-0012YL-0k for pgsql-general@lists.postgresql.org; Thu, 21 Aug 2025 15:36:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1755790569; x=1756395369; i=karsten.hilbert@gmx.net; bh=CnQ4zuuUwA8xFzSHHkRSt97SN2HjyFeqbibHTLgB89Q=; h=X-UI-Sender-Class:Date:From:To:Subject:Message-ID:MIME-Version: Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=CqORSg8DanhCS6azaO1DvpL1AbB99lMV7biYURA6Lcjh73gvFibtMuWGxG5nUo6j m5xxrZU7S8XNwbkPhXo46PJVdqmWc/6rARBRb/9A5TiahjHyZbNAi3Zw2WDStX96O Gys8TDrpbEw+1N8IWT0MkePVvx1Y1CGG/UAugxpeLNPVLOIl2wwprX7ZHy1G7xcUc B1oZhzHf9gUBhDfiapYJJDar3EFOa5aNjcdUnYEV0YW3269HQ1wNDUCn+sKlb155w F+p1cmdsnSa50JFJhW9mdmZZDvwz5PN+GD+bwSpT8ldFE7pYQAdbMrR4HoGYUgVIs EPGMRPQCb2XpVImnCw== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from hermes ([84.190.227.182]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MMobO-1v5gFQ46ke-00Ia1C for ; Thu, 21 Aug 2025 17:36:09 +0200 Received: from ncq by hermes with local (Exim 4.96) (envelope-from ) id 1up7Kh-0006l0-2k for pgsql-general@lists.postgresql.org; Thu, 21 Aug 2025 17:36:07 +0200 Date: Thu, 21 Aug 2025 17:36:07 +0200 From: Karsten Hilbert To: pgsql-general@lists.postgresql.org Subject: Q: GRANT ... WITH ADMIN on PG 17 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Ma_X_il-Followup-to: d Re_X_turn-receipt-to: Karsten.Hilbert@gmx.net Di_X_sposition-Notification-To: Karsten.Hilbert@gmx.net X-Confi_X_rm-Reading-To: Karsten.Hilbert@gmx.net X-Pri_X_ority: 2 (High) Sender: X-Provags-ID: V03:K1:GCCsFlzJQrEuR04drSgFrqH5qT4op9+bBQdLpZnC0DZF2QE36+S uMPa1gC/IvtvSdM0wY3AkcUtyofbil5Y1BY6N1dduqmcAFAtnMKi6Bdlj20N+sBiBDKFS6T OSF7i7k34Hkqdox/E78Vwz46c/fWzYX9pddoYf72nm6CNM/SJT72qvSwktFpgC0GyUrnIs4 yFuoA8ZiKhZorQAijU+Eg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:zPwE6fuqhXQ=;dDZFnWECSEUnC/c/ornJoqJSRzp MI/CzwumOAXLtAfjmEmzfnLVTXVCpFY9PNdLn6CQLe4tZHBvM7Ef25y4naWWghNiVd/AiLVh0 O+ChWm52jxXMBESwtzv7aTLVVZSjbUka6YaNBwxk6rrmgfCAydPkZCrytKlc4fP08Vx9h+5wD lFgvUv07joFiSMCU85zQS/eaJhKFv+0uE+xwPmqm1eGqIMb0W0i7UHA0IMxJ4v0OKwCHIAZBJ MZNOijmfIDDhDqzjnsoim1m6T080H4mKDC62//NsM2raiOps2cDpsOSy3tJ8PnRmyUGsjHXeR RuSWMWuFmoN9uspGi3YvfyBJodE0dEI0RN40jHpGfZRlRFqLAMHXtxtukHsidTV6iqIX5DUp/ OjGR52wK7HlnK3+rGSz/AJQ509ri7PO7+hkQPl461IZ62WK4Lq6T30kOkZfuvIIuSapkcayLH FzPkRkGxziTmHFlA3pZ+RLJzfdmhwjY0z7JQRSA+thVdJEbqXRKNWzqiMXuLLIe5RWRbNNchb gwHDM63EYxxkQuL+5cLiZ4vJxiLCVQTyNg+FxdI60GcD9XYM1ct5kZftKSA/se8cikTpQfx3y Zz1dOOzQKVOOtFbXXHOtJLfMOsGIPouOAEIJ6fBYf6VA2ZWHEuy09lv7TIn7YtTaK99BSOP27 OyiJHVvCHjnGn8p5dJQcngxsYhxa736+pefYdeI9LCfh1Pilorhev0MQTObhkLIzLlj9ZecDG +pP0B7vZ7bzLGAnyskRSb8OqSPWM/789RPjNmiPG3Mc8pLqyDExQrRH9qddIHNgIiKzb1mgPc dcdNU2e7X8IIzjlyVLArsUbROs3Gh80tD2Ya6fBtHb8V34Y+c8ZSp8dJgWbRjmWYU4qsF6V1w +P97AgWA926VXqlD84KvWMUndXX8tq+tKm2TOsCSsO6bSpCQ8wLUxAyuPRA/cuzLY/tTWYnMJ /ql/wrV/DhE8qJJL0ffPO0/3+obyWebP0s+zzWEgQ+lcQT1OAZYcVdV5DLdinGmmTof8YJGzY Azl+DPmHVd2Xgth0qmSqfqxntfdBqhftlDoLT/2mFCUCduhOn8QpcJYwh36uchLJxX7zii+ho 3HGok+T1HclUs0kJqAtU9+GcfaV3iR14yjoxg6lnhSzK8Xk4yMAnn3L4LoBw+fyQlmYMT3AR7 XpHkrzclhDl716NQdWuFQQiVc5jP15DcK29kOigIJerKWngmSlUx+SL58g/pjczmIi/Hm4PCc Zyiz9ExZeD2SLy5OZJLeF3gSVbJzynmZP05pKzwj5AhpWLw3AAwzJZ91q/lb24y0v2ydoStas AuQsRbvhW/97f8zFtxTIEKophPTuBtRbx0hLNrWXWrXdZ7NjFWOesfHvswexs/5IEbMtgVfzr W0ZkuyW9JiyvN9WkTb+PcfKl3d8tyb8A0zPrVLr200sjPYRqJzyfmytp2kvIzxtSyL3GRpsen jMnjE5HOu8QWpiFQHZl86b1Kin3JDwFpqlCQBXzH12rjNgk7qW+tdfQQC2/k97qirSniKYFzf MoJY85QVqSj89N3QZqud0du6ma40iWJwMcnwc+J+oAg2AFpdIXk8ANgbzUfk2Cb2L1Lpdtg8r psuN/Rhe5FMOjvRB+JQRzXijskK0k3TSO6eIbl2hczlyQwwCHfDokfDDjZFkJ6ACvdcIuPP6+ gUTsSMgX0l0M8oOyupves8qPWykD87J0J56x1K6o/IM1H23VNx+HglDGwTndP6Aw4BraYIorE dGOxj2/ugIGsIUo5EUUasivbDKnkzLrhr0ty4ydi8srN8cQv/Xja1XbooB13WCPRHmoQzuQab sU9SlGBUILfw71BRUF2S5G27q3Gj4XDfjwVnJIKF21roIPj6QuJlMIjeBm0SyauHGHuFq7pWu jCIrJTxJhPDoMhTUJ0hUnl7v6P4ufvedQg+aWC16Qoq9QUroiYknRG5qCzL0Ax1xu3fiqIpbJ ICkKB4HRsbr0wl5BGCjGlsMJkCjwfxQot0Y+9KBbPBKrQQB1QnwVW2uexEF8jQAEb2CCdiSMM sh/1gRuFE+Qrr2cAnNvEHn6SnPi0NsvmRMFdENXCqJRQJtdGngzH6Tdypi3xsis29CcA8J8xg knH8WS28Ig/sYj0QLMWXm/lUBmmaa5nuu53UQt98B8SohaHDES5hRRDyAm3ABUSKRSIIM5dLt oBnQUGbi14QOlFaIpJzz7BBjBBZ538H/ECosSifc6KUPGdKMZrAFDdS2dRY73qAZETHb9aA2C fPa9+YgdvarXbzg2bP0IeBIHnch5J+CnkpvXD/2dnJIAGBftamTehavM2qA6M3E/vlgAry48W RTjnmRnESG0X7AjPGGIf7ohovd0U88deYKjbicsSr++Hr4E7r4sxTu3v3EYV3dUKSv8cXKrIj HVBPlYiG4aCZKhmoXcQzhqIBmXwVm2oDD6MUz0NVsXN8NXtrMW9xAUpyLyaxDSmP0JGXVthBG LNMZ19XU9fQAgRL8cVPjubEpkq8Dy31KO/Oh1+7Sm6IncbQ0qINWby9M0BJOEnbwRAmyjIW8/ AotUbkmp1sEbKQe7rZ2uRTMDHvSyhWliLPixjoWZwmjROO7JGeht0oefbQpRRvaKX7I0dgMk8 yaNwiL3X2BYfaMZjenCtx5NXV+meETpWwVemG9x/BEgT8Mhz9NHp9AWiZ9MMtia6AjviDHG9b MZz8NooXEIBAjOC/1yk0ydDxtp36AIhcEoR+nb2gKI5elJUqGLYcCaNiRIgF9LyAVGnTxtf3+ 7ztE+zJ3dMNlp1V/k8yas9QQaqgeKan+jBZFqGzOExpY9t55y3QMkvTf8ay8yBCDcFeNMJdys EPAH8+EPFgRZMrsZA8+9uW5Upq4oYedgqwyVSgWGUwRTlc50ElSq+50UZtVHiJwNhQPVYGu24 pnAF4rUolt8sPM3VI8u9ZfQdEQWhhkVGPswMs+atAQeTtDYNSQCbLyYXlF7wpewMrgSQNE8+o pHM9JUuyat56B0fdzI4WGls0on6GfQCHwoN3IXnZ4nATynm1f5amuyRmYE2NsYaEhKNw8tTiJ H6kccUMaEo2k2HVQACteEHCvT415eAYsMfPckwyzpPt7lp7X6B00Ce3MYw7VEjjaz9Yi/ocGE HuBRGibHvY+AutYXcNL1xlpY2dEbJsq19Eq0anCgSAJcGBLdsvtUi9bHQ7kDvXfeUlFBRDVBf ydBIr+80Nkf2/balMWqvAIMmoS8Shu711fj387WcnDeqrQyYU4e3onLqUBJ+Uj7i3PIny3gKr vKaZxKOa8pw5TC3BWeEocZyCx8g17Fc4UVpnHUjiUeIJjfJcTcUtIo77ldzuOATqKekcnVTOA tOCWFoL/xZDlhxTPYP8GHXVObFNvPSxqJcIeX8IeECCZfdGm5u3RkkJZIYjjhWspAg8A1EiOd /7nhLWcWp7A0EHZjYPw9lAcMx2ZC3pBNhp91LY2fV2wWidbGE0BSVq/zMWnwlO9NAHJBlNrhw G49uuhIGFLWX0ISgCOZV0nLObjwybyyVodf2pTujn74eWw4QsYxGse0zYPNzx2VPc6ltqb/pQ rZosSwTx39kZRiI+idUPr+js0W+Xy9AV+L1WO7+4wcRd/9V2P+fw2UKhNB/+A/dR9SFMTg7wX Y0D/4xWj68xYLClPfavJzgUxeqIo/kngo6eWFYOAZPF28O7zxxpIn3F1tm3gv+xSfPJa6oVhS B1icLTVV9lgQw9FvlXMI5doVGuS9tiP66jmLOqvv/KImEn2CpTI9Npv0iSmfQ/a6cC65402tX b/h7z2jYkkeQ64guTmRDRnciSYKlcdiv5LvRgzhkLaQUAQp/RK/FY6isZgcXhSNn9h+hzvZvg HeMhwF9LrzErqirVvArL0pKLTRM1IPq5eIwuWJ8jQUIC74Z+o/rTQ2yly4YPaajupL1E0awed c1rzrs5Yh6chTuaXsuKDT68JJQ7Eiu276RYdiaC8VRXRHwanopLZPdTNHToeePk9lxhCCUHPw FMVrFEWNddybaladsNEWFNnhmw2dgxRqFv5ujOK0sH1qnleat5Nl2JHn2oplgJPUctxiGmXpb rkrwcxjiT6WIu1sULVwx697Z31zxBAxqmio8h2tb+JPt7YCW0nMF/2ooQp9Z2/XpaGgfrnlxi Q7ycSzBF1YgRXeuMj6EQgA8kvO1OJsYVPbZf/VL8UhMHzQXPCH0OWVxt9hhDlpxXRLYks3znh bJcmx2QrSTHYtmuKrB2N4700KD0/frv5R2oxRi69cwA3osW85r2uDNxWWKjrYbXYlMqUkhJPn WzpBhUvRSogRc4ORg0+FB3L37ju1TfLA5CgYws7kroclao6p4gl6d0S5KOgz6LzJb870YO9GC HHxFtTDS/Ertx8TsH52BkxCQ0hYr9VYuTLIGVUoeCxZjuCc8u/3w5AUslN5O+ncU+yoK1C87B pDemiwjDG7ncbDPJDy6SsMG44BhqONXPXX2IvZQA8JKrl5q2iSfAB9u5hr94GDKiajK9/S/ap Z7L70YfcSnoQZxy6qkL0P86gSFs+i7ZWeDxduMy/obRpmGJCE0CPFu7 Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Dear all, PG 17 documentation says that using "WITH ADMIN" allows the role being added to another group role to grant/revoke membership in said group to other roles. Does this imply that an ADMIN role _must_ itself be a member of the group role it is to maintain membership of ? The question arises from a scenario where a DBA role would not need to be a member of a clinical group role but would be intended to maintain membership of clinical user roles within that group role. From a security point of view the question might be moot because an ADMIN role could always grant itself membership in the group role -- but it feels wrong for reasons of theoretical "correctness". IOW: - gm-dbo: user role for a DBA admin (not! superuser) - gm-bones: user role for a LLAP doctor - gm-doctors: group role for doctors, upon which are resting access permissions for clinical data - gm-bones is to be a member of gm-doctors in order to access clinical dat= a - gm-dbo is intended to manage membership of gm-bones in gm-doctors - however, gm-dbo need not itself be a member of gm-doctors Is that possible within the current (as of PG 17) framework ? Thanks, Karsten =2D-=20 GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B