Re: Q: GRANT ... WITH ADMIN on PG 17
Dominique Devienne <ddevienne@gmail.com>
From: Dominique Devienne <ddevienne@gmail.com>
To: Pavel Luzanov <p.luzanov@postgrespro.ru>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>,
Karsten Hilbert <Karsten.Hilbert@gmx.net>, pgsql-general@lists.postgresql.org
Date: 2025-08-25T12:38:02Z
Lists: pgsql-general
On Mon, Aug 25, 2025 at 2:22 PM Pavel Luzanov <p.luzanov@postgrespro.ru> wrote: >> On 22.08.2025 11:40, Laurenz Albe wrote: >> Yes, that should work as follows: [...] > [...] A safer option is to use security definer function to grant membership FWIW, it's basically what I did. My primary "admin" application role lost CREATEROLE, and instead gained EXECUTE on security-definer procs from a new lower-level role (with CREATEROLE), in a new separate schema, which does all create/drop roles or grant/revoke DDLs. Which has the added benefits to enforce naming conventions for roles, to enforce grants are only between our "per-DB" roles, and made it easy to generate an audit-log for all those DDLs. So the v16 ROLE changes created a BIG MESS for us, slowing us down quite a bit, but we ended up with a much better "v2" architecture, so it was not all a loss... YMMV. So +1 to Pavel. --DD