On 2023-09-20 17:53 -0400, Michael Corey wrote: > To make matters even more strange. I checked the permissions of > rds_superuser in 15 and 14 > > For 14 > GRANT pg_monitor, pg_signal_backend, rds_password, rds_replication TO > rds_superuser WITH ADMIN OPTION; > > For 15 > GRANT pg_checkpoint, pg_monitor, *pg_read_all_data*, pg_signal_backend, > *pg_write_all_data*, rds_password, rds_replication TO rds_superuser WITH > ADMIN OPTION; > > AWS added these permissions, but based on what they do you would think this > would allow the SELECTs in 15. Yes it would if sten_schema would inherit from rds_superuser. But it cannot inherit privileges from rds_superuser (indrect membership through object_creator) because object_creator was created with NOINHERIT. And INHERIT applies to direct memberships only. -- Erik
