* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > create role admin with noinherit;
> > grant postgres to admin;
> > grant admin to joesysadmin;
>
> > pg_dump -U joesysadmin mydb;
>
> > Fails because joesysadmin hasn't got rights to everything directly.
>
> Seems like the correct answer to that is "use a saner role
> configuration".
Funny, it's exactly the type of setup described here:
http://www.postgresql.org/docs/8.2/interactive/role-membership.html
Far as I can tell anyway. What would you suggest? The point here is
that joesysadmin shouldn't get full postgres privs on login since most
of the time he won't need them. When he does need them, he can do a
'set role postgres', do what he needs to do and then 'reset role' when
he's done. Minimizing the amount of time with superuser privs is a good
thing in general, I would think.
Thanks,
Stephen
