* Tom Lane ([EMAIL PROTECTED]) wrote: > I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not > inherited indirectly; that is it must be granted directly to you. > This seems wrong; SQL99 has under <privileges> > > 19) B has the WITH ADMIN OPTION on a role if a role authorization > descriptor identifies the role as granted to B WITH ADMIN OPTION > or a role authorization descriptor identifies it as granted WITH > ADMIN OPTION to another applicable role for B. > > and in the Access Rules for <grant role statement> > > 1) Every role identified by <role granted> shall be contained > in the applicable roles for A and the corresponding role > authorization descriptors shall specify WITH ADMIN OPTION. > > I can't see any support in the spec for the idea that WITH ADMIN OPTION > doesn't flow through role memberships in the same way as ordinary > membership; can you quote someplace that implies this?
Hrm, no, sorry, I just interpreted the 'Access Rules' line for <grant
role statement> differently. That is to say:
1) Every role identified by <role granted> shall be contained
(Alright, all the roles which you're granting, right)
in the applicable roles for A and the corresponding role
(A must be in all the roles which are being granted)
authorization descriptors shall specify WITH ADMIN OPTION.
(the grants to A for those rules specify ADMIN OPTION)
This came across to me as meaning "there must exist an authorization
descriptor such that the granted-role equals <role granted>, the grantee
is A and WITH ADMIN OPTION is set". That could only be true if the
grant was done explicitly. Reading from 19 above (which I don't recall
seeing before, or at least not reading very carefully) I think you're
right. Either way is fine with me.
Thanks,
Stephen
signature.asc
Description: Digital signature
