diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 57af287dc9c..8e8196f480d 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
@@ -293,8 +293,12 @@ GRANT role [, ...]
If WITH ADMIN OPTION is specified, the member may
- in turn grant membership in the role to others. Without the admin
- option, the recipient cannot do that.
+ in turn grant membership in the role to others, and revoke membership
+ in the role as well. Without the admin option, ordinary users cannot do
+ that. However,
+ database superusers can grant or revoke membership in any role to anyone.
+ Roles having CREATEROLE privilege can grant or revoke
+ membership in any role that is not a superuser.
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index f42666b8198..fea93aec915 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -1,5 +1,5 @@
@@ -203,9 +203,10 @@ CREATE USER name;
checks). To create such a role, use CREATE ROLE
name CREATEROLE.
A role with CREATEROLE privilege can alter and drop
- other roles, too. However, to alter or drop a superuser role,
- superuser status is required; CREATEROLE is not sufficient
- for that.
+ other roles, too, as well as grant or revoke membership in them.
+ However, to create, alter, drop, or change membership of a
+ superuser role, superuser status is required;
+ CREATEROLE is not sufficient for that.
@@ -234,6 +235,16 @@ CREATE USER name;
endterm="sql-alterrole-title"> commands for details.
+
+
+ It is good practice to create a role that has the CREATEDB
+ and CREATEROLE privileges, but is not a superuser, and then
+ use this role for all routine management of databases and roles. This
+ approach avoids the dangers of operating as a superuser for tasks that
+ do not really require it.
+
+
+
A role can also have role-specific defaults for many of the run-time
configuration settings described in