Re: the "users" group and restricting privileges - Mailing list pgsql-admin

From Jim C. Nasby
Subject Re: the "users" group and restricting privileges
Date
Msg-id 20051130001304.GV78939@pervasive.com
Whole thread Raw
In response to the "users" group and restricting privileges  (Dan Tenenbaum <dandante@gmail.com>)
List pgsql-admin
On Tue, Nov 29, 2005 at 03:30:33PM -0800, Dan Tenenbaum wrote:
> I want to create a postgresql user with restricted permissions--all it
> should be able to do is select on a few views that I specify.
>
> So I did the following, as the database owner:
> create user viewer password 'xxxx';
> grant select on myview to viewer;
>
> Then, when I start psql as the viewer user, specifying the same database
> with the -d switch, I try this:
> select * from myview;
> and get this:
> ERROR: permission denied for schema myschema
> What do I need to do to get the correct permissions?

GRANT USAGE ON SCHEMA myschema TO viewer;

> Also, there is a group called "users" and the database owner is in that
> group. But I have not granted any explicit privileges to that group. And the
> database is owned by a particular user, not a group. However, I notice that
> when I added the "viewer" user to the "users" group, that the user seemed to
> be able to do everything that the database owner could do. That is not what
> I want. But the above (not being able to select a view that I thought I had
> select permission for) is not what I want either.
>
> The above paragraph would seem to suggest that a group called "users" has
> some special properties. I could not find any documentation for that in the
> postgres docs (I am using version 7.4). Perhaps I couldn't find it because
> almost every page in the docs seems to have the word "users" in it, so it is
> hard to disambiguate my search.
> If someone could point me towards documentation of the special properties of
> the "users" group that would be helpful...but the thing I most want help
> with is creating a user with restricted views as described above.

There is no default users group, only PUBLIC (which isn't really a group
in the system afaict).

If you install newsysviews (http://pgfoundry.org/projects/newsysviews/)
you can query pg_user_grants to help diagnose where the permissions are
comming from. Or you could use a big, hairy query to do it...
--
Jim C. Nasby, Sr. Engineering Consultant      jnasby@pervasive.com
Pervasive Software      http://pervasive.com    work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf       cell: 512-569-9461

pgsql-admin by date:

Previous
From: Tom Lane
Date:
Subject: Re: the "users" group and restricting privileges
Next
From: Dan Tenenbaum
Date:
Subject: Re: the "users" group and restricting privileges