From d09293d321a614095cd1fa3fb949b18190c0130d Mon Sep 17 00:00:00 2001 From: "Karl O. Pinc" Date: Mon, 25 Sep 2023 17:18:58 -0500 Subject: [PATCH v6 08/15] Explain the difference between role attributes and role privileges All of the information presented here is present elsewhere in the documentation, but scattered about. It is useful to have a summary; one place where the interactions between INHERIT, the other role attributes, and granting of privileges with roles is explained. Otherwise, it is hard to synthesize this out of bits and pieces mentioned elsewhere. --- doc/src/sgml/user-manag.sgml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 492325e8a2..4a26ede8fb 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -12,9 +12,37 @@ They can assign privileges on the owned objects, and thus the permissions the privileges carry, to other roles. Roles therefore control who has what access to which objects. + + + + role + inheriting permissions + + + + role + attributes + + + + role + current role + + + It is possible to grant membership in a role to another role, thus allowing the member role to use the privileges assigned to another role. + This acquisition of privilege can happen automatically, if the role given + membership has the INHERIT attribute, or manually, via + a SET ROLE to the granted role. + But it is important to distinguish between privileges, which are assigned + with GRANT, and role attributes, + like INHERIT, SUPERUSER, and + CREATEDB, which are assigned with CREATE + ROLE or ALTER ROLE. + Privileges may be inherited, role attributes cannot and are only effective + when SET ROLE changes the current role. -- 2.30.2