* Tom Lane ([EMAIL PROTECTED]) wrote: > I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not > inherited indirectly; that is it must be granted directly to you. > This seems wrong; SQL99 has under <privileges> > > 19) B has the WITH ADMIN OPTION on a role if a role authorization > descriptor identifies the role as granted to B WITH ADMIN OPTION > or a role authorization descriptor identifies it as granted WITH > ADMIN OPTION to another applicable role for B. > > and in the Access Rules for <grant role statement> > > 1) Every role identified by <role granted> shall be contained > in the applicable roles for A and the corresponding role > authorization descriptors shall specify WITH ADMIN OPTION. > > I can't see any support in the spec for the idea that WITH ADMIN OPTION > doesn't flow through role memberships in the same way as ordinary > membership; can you quote someplace that implies this?
Hrm, no, sorry, I just interpreted the 'Access Rules' line for <grant role statement> differently. That is to say: 1) Every role identified by <role granted> shall be contained (Alright, all the roles which you're granting, right) in the applicable roles for A and the corresponding role (A must be in all the roles which are being granted) authorization descriptors shall specify WITH ADMIN OPTION. (the grants to A for those rules specify ADMIN OPTION) This came across to me as meaning "there must exist an authorization descriptor such that the granted-role equals <role granted>, the grantee is A and WITH ADMIN OPTION is set". That could only be true if the grant was done explicitly. Reading from 19 above (which I don't recall seeing before, or at least not reading very carefully) I think you're right. Either way is fine with me. Thanks, Stephen
signature.asc
Description: Digital signature