I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not inherited indirectly; that is it must be granted directly to you. This seems wrong; SQL99 has under <privileges>
19) B has the WITH ADMIN OPTION on a role if a role authorization descriptor identifies the role as granted to B WITH ADMIN OPTION or a role authorization descriptor identifies it as granted WITH ADMIN OPTION to another applicable role for B. and in the Access Rules for <grant role statement> 1) Every role identified by <role granted> shall be contained in the applicable roles for A and the corresponding role authorization descriptors shall specify WITH ADMIN OPTION. I can't see any support in the spec for the idea that WITH ADMIN OPTION doesn't flow through role memberships in the same way as ordinary membership; can you quote someplace that implies this? regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match