GRANT role_name TO role_name ON database_name - Mailing list pgsql-hackers

From Clark C. Evans
Subject GRANT role_name TO role_name ON database_name
Date
Msg-id 1369760451.18378.140661236720277.37967CB8@webmail.messagingengine.com
Whole thread Raw
Responses Re: GRANT role_name TO role_name ON database_name
List pgsql-hackers
I'd really love the ability to grant a *user* 
role-based privileges database by database.

For background, I have several databases running 
in a single cluster, one database per business unit.  
Each database has the same core schema with the same 
basic role permissions, but with significant 
customizations.  Even if it were technically possible 
to make them a single database, it would be unwise 
for administrative reasons.  Each user may have
access to any number of databases, but, within 
each database may be assigned to different roles.

For example, we may have an 'auditor' role which 
gives specific access to some trigger-maintained 
change history.  But, a given user may only be an 
auditor for the business units they are assigned.
That said, they may have other roles in other 
business units.  My requirements are very fluid
here and dictated by regulatory requirements.

Currently, we work around the lack of per-database
role permissions by prefixing roles with the name
of the database.  This is quite tedious though, 
it requires specialized logic to overlay creation,
backups, restores, updating and deleting databases.
It's very irritating, requires custom code and
conventions, even though it works.

About 5 years ago, I think I asked for roles to 
become database specific.  I know think that is a 
bit draconian given the cluster-wide permission
structure used by PostgreSQL.  However, perhaps
a way to make it optionally limited to a given 
database would simplify my permission tracking?

Best,

Clark



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Extent Locks
Next
From: "Joshua D. Drake"
Date:
Subject: Re: Planning incompatibilities for Postgres 10.0