Can't give all the privileges to a user different from `admin`

[Totktonada]

There is a super role, which grants a user all the privileges that are possible to grant:

tarantool> box.schema.role.info('super')
---
- - - read,write,execute,session,usage,create,drop,alter,reference,trigger,insert,update,delete
    - universe
    -
...

(reference, trigger, insert , update, delete are no-op.)

However, a user with the super role is not allowed to do some actions that admin can do. For example, it can't grant or revoke permissions for an object that it doesn't own or for a class of objects (so called entities):

tarantool/src/box/alter.cc

Lines 4061 to 4067 in 417865a

	/* Only admin may grant privileges on an entire entity. */
	if (object == NULL && grantor->def->uid != ADMIN) {
	diag_set(AccessDeniedError, priv_name(priv_type),
	schema_object_name(priv->object_type), name,
	grantor->def->name);
	return -1;
	}

There are other direct == ADMIN checks in alter.cc. We need to look over them and find other admin-only actions if there are ones.

I propose to fill the gap between the super role and the admin user: add the needed individual privileges and attach them to the super role.

[locker]

What's the point of doing this? So as not to write box.session.su in Lua code when granting privileges? This won't be needed anyway when #11690 is fixed.

[Totktonada]

AFAIR, the request appears in the context of a work on a security model with a customer in the context of TDB. Aleksandr Klenov may know more. The key point was to split the admin user to three distinct roles like database admin, system admin or something of this kind.

Sadly, I can't find private details, because I'm not an employee of VK Tech anymore.

My personal opinion is that any difference between super and admin is confusing. However, if you like, this request can be closed by documenting things precisely.