Re: Postgres limitation in user management - Mailing list pgsql-general

From Ron
Subject Re: Postgres limitation in user management
Date
Msg-id 1cda5011-4de0-4a85-bebb-79d0cbe7a12f@gmail.com
Whole thread Raw
In response to Postgres limitation in user management  ("Kar, Swapnil (TR Technology)" <Swapnil.Kar@thomsonreuters.com>)
List pgsql-general

How can you practically support a database without being able to look at a table?

On 11/3/23 01:26, Kar, Swapnil (TR Technology) wrote:
@font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ligatures:standardcontextual; mso-fareast-language:EN-US;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left:36.0pt; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ligatures:standardcontextual; mso-fareast-language:EN-US;}span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;}.MsoChpDefault {mso-style-type:export-only; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;}div.WordSection1 {page:WordSection1;}ol {margin-bottom:0cm;}ul {margin-bottom:0cm;}

Hello Team,

 

I am facing a limitation with Postgres user management and require your assistance or input around it. Let me brief you the scenario here –

 

We have 2 sets of database user groups –

 

  1. App – who owns the application schemas (and tables)
  2. Support – who provides db support

 

We want Support users to have no SELECT or DML privilege but only ALTER TABLE to perform any troubleshooting in the database.

 

In Postgres, to have alter system privilege one should be the owner of the schema/table but App users are not keen to make them temporarily as owner of the schema during the investigation time. Because they loose the ownership and can’t perform ALTER table commands.

 

Now another option 2 is to – grant app_user to support_user;

This way ownership is not transferred but support is able to perform select and DML.

 

Option 3 is to grant rds_superuser privilege to support and in this case they will become more powerful superuser in the DB. This is also not a solution for our requirement.

 

Do you think there is a way to deal with this situation ?

 

Any help and guidance here is highly appreciated.

 

Regards,

Swapnil

This e-mail is for the sole use of the intended recipient and contains information that may be privileged and/or confidential. If you are not an intended recipient, please notify the sender by return e-mail and delete this e-mail and any attachments. Certain required legal entity disclosures can be accessed on our website: https://www.thomsonreuters.com/en/resources/disclosures.html

--
Born in Arizona, moved to Babylonia.

pgsql-general by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Local postgres manual
Next
From: "Peter J. Holzer"
Date:
Subject: Re: Postgres limitation in user management