Care for the fact that role attributes are not inherited Tests are now run with login roles instead of abstract base roles. create_user has become a SECURITY DEFINER function, thus circumventing RLS policies and that a sys_admin cannot CREATE ROLEs by himself. A test has been added to showcase the intentional error in case the name of an abstract base role is used as a new username.

--- a/schema/manage_users.sql	Sun Jul 22 10:40:17 2018 +0200
+++ b/schema/manage_users.sql	Mon Jul 23 11:29:41 2018 +0200
@@ -20,4 +20,5 @@
         'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L', username, userrole, pw);
 END;
 $$
-LANGUAGE plpgsql;
+    LANGUAGE plpgsql
+    SECURITY DEFINER;