diff --git a/src/backend/access/transam/xlogfuncs.c b/src/backend/access/transam/xlogfuncs.c
index 8475985..3181a79 100644
--- a/src/backend/access/transam/xlogfuncs.c
+++ b/src/backend/access/transam/xlogfuncs.c
@@ -22,7 +22,6 @@
 #include "access/xlog_internal.h"
 #include "access/xlogutils.h"
 #include "catalog/catalog.h"
-#include "catalog/pg_authid.h"
 #include "catalog/pg_type.h"
 #include "funcapi.h"
 #include "miscadmin.h"
diff --git a/src/backend/catalog/Makefile b/src/backend/catalog/Makefile
index a403c64..a6de2ff 100644
--- a/src/backend/catalog/Makefile
+++ b/src/backend/catalog/Makefile
@@ -28,7 +28,7 @@ all: $(BKIFILES) schemapg.h
 # indexing.h had better be last, and toasting.h just before it.
 
 POSTGRES_BKI_SRCS = $(addprefix $(top_srcdir)/src/include/catalog/,\
-	pg_proc.h pg_type.h pg_attribute.h pg_class.h \
+	acldefs.h pg_proc.h pg_type.h pg_attribute.h pg_class.h \
 	pg_attrdef.h pg_constraint.h pg_inherits.h pg_index.h pg_operator.h \
 	pg_opfamily.h pg_opclass.h pg_am.h pg_amop.h pg_amproc.h \
 	pg_language.h pg_largeobject_metadata.h pg_largeobject.h pg_aggregate.h \
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 4663429..21d282c 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5038,18 +5038,18 @@ pg_extension_ownercheck(Oid ext_oid, Oid roleid)
  * roleid - the oid of the role to check.
  * attribute - the attribute to check.
  *
- * Note: Use this function for role attribute permission checking as it accounts
- * for superuser status.  It will always return true for roles with superuser
- * privileges unless the attribute being checked is CATUPDATE (superusers are not
- * allowed to bypass CATUPDATE permissions).
+ * Note: Use this function for role attribute permission checking as it
+ * accounts for superuser status.  It will always return true for roles with
+ * superuser privileges unless the attribute being checked is CATUPDATE
+ * (superusers are not allowed to bypass CATUPDATE permissions).
  *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!  Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
+ * Note: roles do not have owners per se; instead we use this test in places
+ * where an ownership-like permissions test is needed for a role.  Be sure to
+ * apply it to the role trying to do the operation, not the role being operated
+ * on!  Also note that this generally should not be considered enough privilege
+ * if the target role is a superuser.  (We don't handle that consideration here
+ * because we want to give a separate error message for such cases, so the
+ * caller has to deal with it.)
  */
 bool
 has_role_attribute(Oid roleid, RoleAttr attribute)
diff --git a/src/backend/catalog/genbki.pl b/src/backend/catalog/genbki.pl
index 2929b66..415ac17 100644
--- a/src/backend/catalog/genbki.pl
+++ b/src/backend/catalog/genbki.pl
@@ -91,7 +91,7 @@ my $BOOTSTRAP_SUPERUSERID =
 my $PG_CATALOG_NAMESPACE =
   find_defined_symbol('pg_namespace.h', 'PG_CATALOG_NAMESPACE');
 my $ROLE_ATTR_ALL =
-  find_defined_symbol('pg_authid.h', 'ROLE_ATTR_ALL');
+  find_defined_symbol('acldefs.h', 'ROLE_ATTR_ALL');
 
 # Read all the input header files into internal data structures
 my $catalogs = Catalog::Catalogs(@input_files);
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 5bde610..564f77a 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -73,14 +73,7 @@ CreateRole(CreateRoleStmt *stmt)
 	char	   *password = NULL;	/* user password */
 	bool		encrypt_password = Password_encryption; /* encrypt password? */
 	char		encrypted_password[MD5_PASSWD_LEN + 1];
-	bool		issuper = false;	/* Make the user a superuser? */
-	bool		inherit = true; /* Auto inherit privileges? */
-	bool		createrole = false;		/* Can this user create roles? */
-	bool		createdb = false;		/* Can the user create databases? */
-	bool		canlogin = false;		/* Can this user login? */
-	bool		isreplication = false;	/* Is this a replication role? */
-	bool		bypassrls = false;		/* Is this a row security enabled role? */
-	RoleAttr	attributes = ROLE_ATTR_NONE;	/* role attributes, initialized to none. */
+	RoleAttr	attributes;
 	int			connlimit = -1; /* maximum connections allowed */
 	List	   *addroleto = NIL;	/* roles to make this a member of */
 	List	   *rolemembers = NIL;		/* roles to be members of this role */
@@ -102,13 +95,17 @@ CreateRole(CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
-	/* The defaults can vary depending on the original statement type */
+	/*
+	 * Every role has INHERIT by default, and CANLOGIN depends on the statement
+	 * type.
+	 */
+	attributes = ROLE_ATTR_INHERIT;
 	switch (stmt->stmt_type)
 	{
 		case ROLESTMT_ROLE:
 			break;
 		case ROLESTMT_USER:
-			canlogin = true;
+			attributes |= ROLE_ATTR_CANLOGIN;
 			/* may eventually want inherit to default to false here */
 			break;
 		case ROLESTMT_GROUP:
@@ -243,21 +240,74 @@ CreateRole(CreateRoleStmt *stmt)
 	if (dpassword && dpassword->arg)
 		password = strVal(dpassword->arg);
 
-	/* Role Attributes */
+	/* Set up role attributes and check permissions to set each of them */
 	if (dissuper)
-		issuper = intVal(dissuper->arg) != 0;
+	{
+		if (intVal(dissuper->arg) != 0)
+		{
+			if (!superuser())
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be superuser to create superusers")));
+			attributes |= ROLE_ATTR_SUPERUSER;
+		}
+		else
+			attributes &= ~ROLE_ATTR_SUPERUSER;
+	}
 	if (dinherit)
-		inherit = intVal(dinherit->arg) != 0;
+	{
+		if (intVal(dinherit->arg) != 0)
+			attributes |= ROLE_ATTR_INHERIT;
+		else
+			attributes &= ~ROLE_ATTR_INHERIT;
+	}
 	if (dcreaterole)
-		createrole = intVal(dcreaterole->arg) != 0;
+	{
+		if (intVal(dcreaterole->arg) != 0)
+			attributes |= ROLE_ATTR_CREATEROLE;
+		else
+			attributes &= ~ROLE_ATTR_CREATEROLE;
+	}
 	if (dcreatedb)
-		createdb = intVal(dcreatedb->arg) != 0;
+	{
+		if (intVal(dcreatedb->arg) != 0)
+			attributes |= ROLE_ATTR_CREATEDB;
+		else
+			attributes &= ~ROLE_ATTR_CREATEDB;
+	}
 	if (dcanlogin)
-		canlogin = intVal(dcanlogin->arg) != 0;
+	{
+		if (intVal(dcanlogin->arg) != 0)
+			attributes |= ROLE_ATTR_CANLOGIN;
+		else
+			attributes &= ~ROLE_ATTR_CANLOGIN;
+	}
 	if (disreplication)
-		isreplication = intVal(disreplication->arg) != 0;
+	{
+		if (intVal(disreplication->arg) != 0)
+		{
+			if (!superuser())
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be superuser to create replication users")));
+			attributes |= ROLE_ATTR_REPLICATION;
+		}
+		else
+			attributes &= ~ROLE_ATTR_REPLICATION;
+	}
 	if (dbypassRLS)
-		bypassrls = intVal(dbypassRLS->arg) != 0;
+	{
+		if (intVal(dbypassRLS->arg) != 0)
+		{
+			if (!superuser())
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be superuser to change bypassrls attribute")));
+			attributes |= ROLE_ATTR_BYPASSRLS;
+		}
+		else
+			attributes &= ~ROLE_ATTR_BYPASSRLS;
+	}
 
 	if (dconnlimit)
 	{
@@ -276,35 +326,11 @@ CreateRole(CreateRoleStmt *stmt)
 	if (dvalidUntil)
 		validUntil = strVal(dvalidUntil->arg);
 
-	/* Check some permissions first */
-	if (issuper)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create superusers")));
-	}
-	else if (isreplication)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				   errmsg("must be superuser to create replication users")));
-	}
-	else if (bypassrls)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to change bypassrls attribute.")));
-	}
-	else
-	{
-		if (!have_role_attribute(ROLE_ATTR_CREATEROLE))
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission denied to create role")));
-	}
+	/* Check permissions */
+	if (!have_role_attribute(ROLE_ATTR_CREATEROLE))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("permission denied to create role")));
 
 	if (strcmp(stmt->role, "public") == 0 ||
 		strcmp(stmt->role, "none") == 0)
@@ -351,22 +377,6 @@ CreateRole(CreateRoleStmt *stmt)
 								validUntil_datum,
 								validUntil_null);
 
-	/* Set all role attributes */
-	if (issuper)
-		attributes |= ROLE_ATTR_SUPERUSER;
-	if (inherit)
-		attributes |= ROLE_ATTR_INHERIT;
-	if (createrole)
-		attributes |= ROLE_ATTR_CREATEROLE;
-	if (createdb)
-		attributes |= ROLE_ATTR_CREATEDB;
-	if (canlogin)
-		attributes |= ROLE_ATTR_CANLOGIN;
-	if (isreplication)
-		attributes |= ROLE_ATTR_REPLICATION;
-	if (bypassrls)
-		attributes |= ROLE_ATTR_BYPASSRLS;
-
 	/*
 	 * Build a tuple to insert
 	 */
@@ -663,8 +673,8 @@ AlterRole(AlterRoleStmt *stmt)
 	roleid = HeapTupleGetOid(tuple);
 
 	/*
-	 * To mess with a superuser you gotta be superuser; else you need
-	 * createrole, or just want to change your own password
+	 * To mess with a superuser or a replication user you gotta be superuser;
+	 * else you need createrole, or just want to change your own password
 	 */
 
 	attributes = ((Form_pg_authid) GETSTRUCT(tuple))->rolattr;
@@ -751,50 +761,64 @@ AlterRole(AlterRoleStmt *stmt)
 	 */
 	if (issuper >= 0)
 	{
-		attributes = (issuper > 0) ? attributes | (ROLE_ATTR_SUPERUSER | ROLE_ATTR_CATUPDATE)
-								   : attributes & ~(ROLE_ATTR_SUPERUSER | ROLE_ATTR_CATUPDATE);
+		if (issuper > 0)
+			attributes |= ROLE_ATTR_SUPERUSER | ROLE_ATTR_CATUPDATE;
+		else
+			attributes &= ~(ROLE_ATTR_SUPERUSER | ROLE_ATTR_CATUPDATE);
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
 	if (inherit >= 0)
 	{
-		attributes = (inherit > 0) ? attributes | ROLE_ATTR_INHERIT
-								   : attributes & ~(ROLE_ATTR_INHERIT);
+		if (inherit > 0)
+			attributes |= ROLE_ATTR_INHERIT;
+		else
+			attributes &= ~ROLE_ATTR_INHERIT;
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
 	if (createrole >= 0)
 	{
-		attributes = (createrole > 0) ? attributes | ROLE_ATTR_CREATEROLE
-									  : attributes & ~(ROLE_ATTR_CREATEROLE);
+		if (createrole > 0)
+			attributes |= ROLE_ATTR_CREATEROLE;
+		else
+			attributes &= ~ROLE_ATTR_CREATEROLE;
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
 	if (createdb >= 0)
 	{
-		attributes = (createdb > 0) ? attributes | ROLE_ATTR_CREATEDB
-									: attributes & ~(ROLE_ATTR_CREATEDB);
+		if (createdb > 0)
+			attributes |= ROLE_ATTR_CREATEDB;
+		else
+			attributes &= ~ROLE_ATTR_CREATEDB;
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
 	if (canlogin >= 0)
 	{
-		attributes = (canlogin > 0) ? attributes | ROLE_ATTR_CANLOGIN
-									: attributes & ~(ROLE_ATTR_CANLOGIN);
+		if (canlogin > 0)
+			attributes |= ROLE_ATTR_CANLOGIN;
+		else
+			attributes &= ~ROLE_ATTR_CANLOGIN;
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
 	if (isreplication >= 0)
 	{
-		attributes = (isreplication > 0) ? attributes | ROLE_ATTR_REPLICATION
-										 : attributes & ~(ROLE_ATTR_REPLICATION);
+		if (isreplication > 0)
+			attributes |= ROLE_ATTR_REPLICATION;
+		else
+			attributes &= ~ROLE_ATTR_REPLICATION;
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
 	if (bypassrls >= 0)
 	{
-		attributes = (bypassrls > 0) ? attributes | ROLE_ATTR_BYPASSRLS
-										 : attributes & ~(ROLE_ATTR_BYPASSRLS);
+		if (bypassrls > 0)
+			attributes |= ROLE_ATTR_BYPASSRLS;
+		else
+			attributes &= ~ROLE_ATTR_BYPASSRLS;
 		new_record_repl[Anum_pg_authid_rolattr - 1] = true;
 	}
 
diff --git a/src/backend/replication/logical/logicalfuncs.c b/src/backend/replication/logical/logicalfuncs.c
index 5f1126e..1a38f56 100644
--- a/src/backend/replication/logical/logicalfuncs.c
+++ b/src/backend/replication/logical/logicalfuncs.c
@@ -17,19 +17,13 @@
 
 #include <unistd.h>
 
+#include "access/xlog_internal.h"
+#include "catalog/pg_type.h"
 #include "fmgr.h"
 #include "funcapi.h"
+#include "mb/pg_wchar.h"
 #include "miscadmin.h"
-
-#include "access/xlog_internal.h"
-
-#include "catalog/pg_authid.h"
-#include "catalog/pg_type.h"
-
 #include "nodes/makefuncs.h"
-
-#include "mb/pg_wchar.h"
-
 #include "utils/acl.h"
 #include "utils/array.h"
 #include "utils/builtins.h"
@@ -38,11 +32,9 @@
 #include "utils/pg_lsn.h"
 #include "utils/resowner.h"
 #include "utils/lsyscache.h"
-
 #include "replication/decode.h"
 #include "replication/logical.h"
 #include "replication/logicalfuncs.h"
-
 #include "storage/fd.h"
 
 /* private date for writing out data */
diff --git a/src/backend/replication/slotfuncs.c b/src/backend/replication/slotfuncs.c
index bc6a23a..c113a0b 100644
--- a/src/backend/replication/slotfuncs.c
+++ b/src/backend/replication/slotfuncs.c
@@ -17,7 +17,6 @@
 #include "miscadmin.h"
 
 #include "access/htup_details.h"
-#include "catalog/pg_authid.h"
 #include "replication/slot.h"
 #include "replication/logical.h"
 #include "replication/logicalfuncs.h"
diff --git a/src/backend/rewrite/rowsecurity.c b/src/backend/rewrite/rowsecurity.c
index 58633cc..f41ad34 100644
--- a/src/backend/rewrite/rowsecurity.c
+++ b/src/backend/rewrite/rowsecurity.c
@@ -36,7 +36,6 @@
 #include "access/heapam.h"
 #include "access/htup_details.h"
 #include "access/sysattr.h"
-#include "catalog/pg_authid.h"
 #include "catalog/pg_class.h"
 #include "catalog/pg_inherits_fn.h"
 #include "catalog/pg_policy.h"
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 93017b2..4c03955 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4723,9 +4723,7 @@ pg_all_role_attributes(PG_FUNCTION_ARGS)
 	int				i = 0;
 
 	/*
-	 * If no attributes are assigned, then there is no need to go through the
-	 * individual checks for which are assigned.  Therefore, we can short circuit
-	 * and return an empty array.
+	 * Short-circuit the case for no attributes assigned.
 	 */
 	if (attributes == ROLE_ATTR_NONE)
 		PG_RETURN_ARRAYTYPE_P(construct_empty_array(TEXTOID));
@@ -4734,21 +4732,21 @@ pg_all_role_attributes(PG_FUNCTION_ARGS)
 
 	/* Determine which attributes are assigned. */
 	if (attributes & ROLE_ATTR_SUPERUSER)
-		temp_array[i++] = CStringGetTextDatum("Superuser");
+		temp_array[i++] = CStringGetTextDatum(_("Superuser"));
 	if (attributes & ROLE_ATTR_INHERIT)
-		temp_array[i++] = CStringGetTextDatum("Inherit");
+		temp_array[i++] = CStringGetTextDatum(_("Inherit"));
 	if (attributes & ROLE_ATTR_CREATEROLE)
-		temp_array[i++] = CStringGetTextDatum("Create Role");
+		temp_array[i++] = CStringGetTextDatum(_("Create Role"));
 	if (attributes & ROLE_ATTR_CREATEDB)
-		temp_array[i++] = CStringGetTextDatum("Create DB");
+		temp_array[i++] = CStringGetTextDatum(_("Create DB"));
 	if (attributes & ROLE_ATTR_CATUPDATE)
-		temp_array[i++] = CStringGetTextDatum("Catalog Update");
+		temp_array[i++] = CStringGetTextDatum(_("Catalog Update"));
 	if (attributes & ROLE_ATTR_CANLOGIN)
-		temp_array[i++] = CStringGetTextDatum("Login");
+		temp_array[i++] = CStringGetTextDatum(_("Login"));
 	if (attributes & ROLE_ATTR_REPLICATION)
-		temp_array[i++] = CStringGetTextDatum("Replication");
+		temp_array[i++] = CStringGetTextDatum(_("Replication"));
 	if (attributes & ROLE_ATTR_BYPASSRLS)
-		temp_array[i++] = CStringGetTextDatum("Bypass RLS");
+		temp_array[i++] = CStringGetTextDatum(_("Bypass RLS"));
 
 	result = construct_array(temp_array, i, TEXTOID, -1, false, 'i');
 
diff --git a/src/backend/utils/adt/ri_triggers.c b/src/backend/utils/adt/ri_triggers.c
index efbcc71..ccb1066 100644
--- a/src/backend/utils/adt/ri_triggers.c
+++ b/src/backend/utils/adt/ri_triggers.c
@@ -33,7 +33,6 @@
 #include "access/htup_details.h"
 #include "access/sysattr.h"
 #include "access/xact.h"
-#include "catalog/pg_authid.h"
 #include "catalog/pg_collation.h"
 #include "catalog/pg_constraint.h"
 #include "catalog/pg_operator.h"
@@ -44,7 +43,6 @@
 #include "parser/parse_coerce.h"
 #include "parser/parse_relation.h"
 #include "miscadmin.h"
-#include "utils/acl.h"
 #include "utils/builtins.h"
 #include "utils/fmgroids.h"
 #include "utils/guc.h"
diff --git a/src/backend/utils/misc/superuser.c b/src/backend/utils/misc/superuser.c
index 9af77ed..67d070c 100644
--- a/src/backend/utils/misc/superuser.c
+++ b/src/backend/utils/misc/superuser.c
@@ -22,7 +22,6 @@
 
 #include "access/htup_details.h"
 #include "catalog/pg_authid.h"
-#include "utils/acl.h"
 #include "utils/inval.h"
 #include "utils/syscache.h"
 #include "miscadmin.h"
diff --git a/src/include/catalog/acldefs.h b/src/include/catalog/acldefs.h
new file mode 100644
index 0000000..2dcc174
--- /dev/null
+++ b/src/include/catalog/acldefs.h
@@ -0,0 +1,72 @@
+/*-------------------------------------------------------------------------
+ *
+ * acldefs.h
+ *	  base definitions for ACLs and role attributes
+ *
+ * Portions Copyright (c) 2014, PostgreSQL Global Development Group
+ *
+ * src/include/catalog/acldefs.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef ACLDEFS_H
+#define ACLDEFS_H
+
+/*
+ * Grantable rights are encoded so that we can OR them together in a bitmask.
+ * The present representation of AclItem limits us to 16 distinct rights,
+ * even though AclMode is defined as uint32.  See utils/acl.h.
+ *
+ * Caution: changing these codes breaks stored ACLs, hence forces initdb.
+ */
+typedef uint32 AclMode;			/* a bitmask of privilege bits */
+
+#define ACL_INSERT		(1<<0)	/* for relations */
+#define ACL_SELECT		(1<<1)
+#define ACL_UPDATE		(1<<2)
+#define ACL_DELETE		(1<<3)
+#define ACL_TRUNCATE	(1<<4)
+#define ACL_REFERENCES	(1<<5)
+#define ACL_TRIGGER		(1<<6)
+#define ACL_EXECUTE		(1<<7)	/* for functions */
+#define ACL_USAGE		(1<<8)	/* for languages, namespaces, FDWs, and
+								 * servers */
+#define ACL_CREATE		(1<<9)	/* for namespaces and databases */
+#define ACL_CREATE_TEMP (1<<10) /* for databases */
+#define ACL_CONNECT		(1<<11) /* for databases */
+#define N_ACL_RIGHTS	12		/* 1 plus the last 1<<x */
+#define ACL_NO_RIGHTS	0
+/* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */
+#define ACL_SELECT_FOR_UPDATE	ACL_UPDATE
+
+#define ACL_ID_PUBLIC	0		/* placeholder for id in a PUBLIC acl item */
+
+
+/*
+ * Role attributes are encoded so that we can OR them together in a bitmask.
+ * The present representation of RoleAttr (defined in acl.h) limits us to 64
+ * distinct rights.
+ *
+ * Note about ROLE_ATTR_ALL: This symbol is used verbatim by genbki.pl, which
+ * means we need to hard-code its value instead of using a symbolic definition.
+ * Therefore, whenever role attributes are changed, this value MUST be updated
+ * manually.
+ */
+
+/* A bitmask for role attributes */
+typedef uint64 RoleAttr;
+
+#define ROLE_ATTR_NONE			0
+#define ROLE_ATTR_SUPERUSER		(1<<0)
+#define ROLE_ATTR_INHERIT		(1<<1)
+#define ROLE_ATTR_CREATEROLE	(1<<2)
+#define ROLE_ATTR_CREATEDB		(1<<3)
+#define ROLE_ATTR_CATUPDATE		(1<<4)
+#define ROLE_ATTR_CANLOGIN		(1<<5)
+#define ROLE_ATTR_REPLICATION	(1<<6)
+#define ROLE_ATTR_BYPASSRLS		(1<<7)
+#define N_ROLE_ATTRIBUTES		8		/* 1 plus the last 1<<x */
+#define ROLE_ATTR_ALL			255		/* (1 << N_ROLE_ATTRIBUTES) - 1 */
+
+
+#endif   /* ACLDEFS_H */
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index f28d9f4..a45f38d 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -21,6 +21,7 @@
 #ifndef PG_AUTHID_H
 #define PG_AUTHID_H
 
+#include "catalog/acldefs.h"
 #include "catalog/genbki.h"
 
 /*
@@ -73,34 +74,6 @@ typedef FormData_pg_authid *Form_pg_authid;
 #define Anum_pg_authid_rolpassword		4
 #define Anum_pg_authid_rolvaliduntil	5
 
-/* ----------------
- * Role attributes are encoded so that we can OR them together in a bitmask.
- * The present representation of RoleAttr (defined in acl.h) limits us to 64
- * distinct rights.
- * ----------------
- */
-#define ROLE_ATTR_SUPERUSER		(1<<0)
-#define ROLE_ATTR_INHERIT		(1<<1)
-#define ROLE_ATTR_CREATEROLE	(1<<2)
-#define ROLE_ATTR_CREATEDB		(1<<3)
-#define ROLE_ATTR_CATUPDATE		(1<<4)
-#define ROLE_ATTR_CANLOGIN		(1<<5)
-#define ROLE_ATTR_REPLICATION	(1<<6)
-#define ROLE_ATTR_BYPASSRLS		(1<<7)
-#define N_ROLE_ATTRIBUTES		8		/* 1 plus the last 1<<x */
-#define ROLE_ATTR_NONE			0
-
-/* ----------------
- * All currently available attributes.
- *
- * Note: This value is currently used by genbki.pl.  Unfortunately, we have to
- * hard code this value as we cannot use an approach like (1 << N_ROLE_ATTRIBUTES) - 1
- * as genbki.pl simply uses the literal value associated with the #define symbol
- * which causes an incorrect substitution. Therefore, whenever new role attributes
- * are added this value MUST be changed as well.
- * ----------------
- */
-#define ROLE_ATTR_ALL          255 /* equals (1 << N_ROLE_ATTRIBUTES) - 1 */
 
 /* ----------------
  *		initial contents of pg_authid
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 458eeb0..ecb5780 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -23,8 +23,10 @@
 #include "nodes/bitmapset.h"
 #include "nodes/primnodes.h"
 #include "nodes/value.h"
+#include "catalog/acldefs.h"
 #include "utils/lockwaitpolicy.h"
 
+
 /* Possible sources of a Query */
 typedef enum QuerySource
 {
@@ -51,33 +53,6 @@ typedef enum SortByNulls
 	SORTBY_NULLS_LAST
 } SortByNulls;
 
-/*
- * Grantable rights are encoded so that we can OR them together in a bitmask.
- * The present representation of AclItem limits us to 16 distinct rights,
- * even though AclMode is defined as uint32.  See utils/acl.h.
- *
- * Caution: changing these codes breaks stored ACLs, hence forces initdb.
- */
-typedef uint32 AclMode;			/* a bitmask of privilege bits */
-
-#define ACL_INSERT		(1<<0)	/* for relations */
-#define ACL_SELECT		(1<<1)
-#define ACL_UPDATE		(1<<2)
-#define ACL_DELETE		(1<<3)
-#define ACL_TRUNCATE	(1<<4)
-#define ACL_REFERENCES	(1<<5)
-#define ACL_TRIGGER		(1<<6)
-#define ACL_EXECUTE		(1<<7)	/* for functions */
-#define ACL_USAGE		(1<<8)	/* for languages, namespaces, FDWs, and
-								 * servers */
-#define ACL_CREATE		(1<<9)	/* for namespaces and databases */
-#define ACL_CREATE_TEMP (1<<10) /* for databases */
-#define ACL_CONNECT		(1<<11) /* for databases */
-#define N_ACL_RIGHTS	12		/* 1 plus the last 1<<x */
-#define ACL_NO_RIGHTS	0
-/* Currently, SELECT ... FOR [KEY] UPDATE/SHARE requires UPDATE privileges */
-#define ACL_SELECT_FOR_UPDATE	ACL_UPDATE
-
 
 /*****************************************************************************
  *	Query Tree
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 1687633..4e8d81c 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -30,13 +30,6 @@
 
 
 /*
- * typedef AclMode is declared in parsenodes.h, also the individual privilege
- * bit meanings are defined there
- */
-
-#define ACL_ID_PUBLIC	0		/* placeholder for id in a PUBLIC acl item */
-
-/*
  * AclItem
  *
  * Note: must be same size on all platforms, because the size is hardcoded
@@ -200,7 +193,6 @@ typedef enum AclObjectKind
 	MAX_ACL_KIND				/* MUST BE LAST */
 } AclObjectKind;
 
-typedef uint64 RoleAttr;		/* a bitmask for role attribute bits */
 
 /*
  * routines used internally