> On Oct 5, 2021, at 9:23 AM, Robert Haas <robertmh...@gmail.com> wrote:
>
>> - Disallow roles from being able to REVOKE role membership that they
>> didn't GRANT in the first place.
>
> I think that's not quite the right test. For example, if alice and bob
> are superusers and alice grants pg_monitor to doug, bob should be able
> to revoke that grant even though he is not alice.
Additionally, role "alice" might not exist anymore, which would leave the
privilege irrevocable. It's helpful to think in terms of role ownership rather
than role creation:
superuser
+---> alice
+---> charlie
+---> diane
+---> bob
It makes sense that alice can take ownership of diane and drop charlie, but not
that bob can do so. Nor should charlie be able to transfer ownership of diane
to alice. Nor should charlie be able to drop himself.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
