Add new GUC createrole_self_grant.

Can be set to the empty string, or to either or both of "set" or "inherit". If set to a non-empty value, a non-superuser who creates a role (necessarily by relying up the CREATEROLE privilege) will grant that role back to themselves with the specified options. This isn't a security feature, because the grant that this feature triggers can also be performed explicitly. Instead, it's a user experience feature. A superuser would necessarily inherit the privileges of any created role and be able to access all such roles via SET ROLE; with this patch, you can configure createrole_self_grant = 'set, inherit' to provide a similar experience for a user who has CREATEROLE but not SUPERUSER. Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com
2025-08-31 17:02:12 +03:00 · 2023-01-10 12:44:49 -05:00
parent cf5eb37c5e
commit e5b8a4c098
9 changed files with 220 additions and 5 deletions
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -555,6 +555,7 @@ PostgreSQL documentation
  <simplelist type="inline">
   <member><xref linkend="app-dropuser"/></member>
   <member><xref linkend="sql-createrole"/></member>
+   <member><xref linkend="guc-createrole-self-grant"/></member>
  </simplelist>
 </refsect1>