On Tue, Nov 29, 2005 at 03:30:33PM -0800, Dan Tenenbaum wrote:
> I want to create a postgresql user with restricted permissions--all it
> should be able to do is select on a few views that I specify.
>
> So I did the following, as the database owner:
> create user viewer password 'xxxx';
> grant select on myview to viewer;
>
> Then, when I start psql as the viewer user, specifying the same database
> with the -d switch, I try this:
> select * from myview;
> and get this:
> ERROR: permission denied for schema myschema
> What do I need to do to get the correct permissions?
GRANT USAGE ON SCHEMA myschema TO viewer;
> Also, there is a group called "users" and the database owner is in that
> group. But I have not granted any explicit privileges to that group. And the
> database is owned by a particular user, not a group. However, I notice that
> when I added the "viewer" user to the "users" group, that the user seemed to
> be able to do everything that the database owner could do. That is not what
> I want. But the above (not being able to select a view that I thought I had
> select permission for) is not what I want either.
>
> The above paragraph would seem to suggest that a group called "users" has
> some special properties. I could not find any documentation for that in the
> postgres docs (I am using version 7.4). Perhaps I couldn't find it because
> almost every page in the docs seems to have the word "users" in it, so it is
> hard to disambiguate my search.
> If someone could point me towards documentation of the special properties of
> the "users" group that would be helpful...but the thing I most want help
> with is creating a user with restricted views as described above.
There is no default users group, only PUBLIC (which isn't really a group
in the system afaict).
If you install newsysviews (http://pgfoundry.org/projects/newsysviews/)
you can query pg_user_grants to help diagnose where the permissions are
comming from. Or you could use a big, hairy query to do it...
--
Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com
Pervasive Software http://pervasive.com work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461