Thomas Kellerer <spam_eater@xxxxxxx> writes: > Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10: >> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION). > I agree that would be a welcome enhancement. No, it wouldn't. The point of CREATEROLE is to allow user creation and deletion to be done by a role that's less than full superuser. If we changed it like that, then you'd be right back at needing superuser for very routine role creations. That's *not* an improvement, even if it somehow fit better into the OP's desired security model (which he hasn't explained). regards, tom lane
