Hi, On Fri, Jan 14, 2022 at 09:01:12AM +0000, Zwettler Markus (OIZ) wrote: > > We have the need to separate user (role) management from infrastructure (database) management. > > Granting CREATEROLE to any role also allows this role to create other roles having CREATEDB privileges and therefore also getting CREATEDB privileges. > > My use case would have been to grant CREATEROLE to any role while still restricting "create database". I see, that's indeed a problem. You could probably enforce that using some custom module to enforce additional rules on top of CREATE ROLE processing, but it would have to be written in C.
