Hi,
On Fri, Jan 14, 2022 at 09:01:12AM +0000, Zwettler Markus (OIZ) wrote:
>
> We have the need to separate user (role) management from infrastructure (database) management.
>
> Granting CREATEROLE to any role also allows this role to create other roles having CREATEDB privileges and therefore
alsogetting CREATEDB privileges.
>
> My use case would have been to grant CREATEROLE to any role while still restricting "create database".
I see, that's indeed a problem. You could probably enforce that using some
custom module to enforce additional rules on top of CREATE ROLE processing, but
it would have to be written in C.