createrole_self_grant — PostgreSQL configuration parameter

If a user who has CREATEROLE but not SUPERUSER creates a role, and if this is set to a non-empty value, the newly-created role will be granted to the creating user with the options specified.

At a glance

What it does

If a user who has CREATEROLE but not SUPERUSER creates a role, and if this is set to a non-empty value, the newly-created role will be granted to the creating user with the options specified. The value must be set, inherit, or a comma-separated list of these. The default value is an empty string, which disables the feature.

The purpose of this option is to allow a CREATEROLE user who is not a superuser to automatically inherit, or automatically gain the ability to SET ROLE to, any created users. Since a CREATEROLE user is always implicitly granted ADMIN OPTION on created roles, that user could always execute a GRANT statement that would achieve the same effect as this setting. However, it can be convenient for usability reasons if the grant happens automatically. A superuser automatically inherits the privileges of every role and can always SET ROLE to any role, and this setting can be used to produce a similar behavior for CREATEROLE users for users which they create.

(Description quoted from the official PostgreSQL documentation.)

How to apply a change

Can be set per session with SET, per role/database with ALTER ROLE/DATABASE ... SET, or globally in postgresql.conf.

Inspect the current value and source with SHOW createrole_self_grant; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'createrole_self_grant';.

Tuning guidance

This sets a session default (locale, formatting, search path or transaction behaviour) rather than a performance knob. Set it per role or database with ALTER ROLE/DATABASE ... SET so the right default follows the right workload, and prefer setting it explicitly in the application for behaviour the query results depend on.

Reference

PostgreSQL documentation — createrole_self_grant.