Re: Backing out of privilege grants rabbit hole - Mailing list pgsql-general

From raf
Subject Re: Backing out of privilege grants rabbit hole
Date
Msg-id 20200403045739.ej4qsc6cx4nk4yb4@raf.org
Whole thread Raw
In response to Re: Backing out of privilege grants rabbit hole  (AC Gomez <antklc@gmail.com>)
Responses Re: Backing out of privilege grants rabbit hole
List pgsql-general
It's probably more sensible to grant permissions to roles that
represent groups, and have roles for individual users that
inherit the permissions of the group roles. Then you don't
need to revoke the permissions just because an individiual
has left.

cheers,
raf

AC Gomez wrote:

> Thanks for the quick response. The problem is, in most cases the owner is
> not the grantee. So if a role, let's say a temp employee, gets grants, then
> leaves, I can't do a drop owned because that temp never owned those
> objects, he just was granted access. Is there a "drop granted" kind of
> thing?
> 
> On Thu, Apr 2, 2020, 11:37 PM Guyren Howe <guyren@gmail.com> wrote:
> 
> > https://www.postgresql.org/docs/12/sql-drop-owned.html
> >
> > On Apr 2, 2020, at 20:34 , AC Gomez <antklc@gmail.com> wrote:
> >
> > Do I understand correctly that if a role was assigned countless object
> > privileges and you want to delete that role you have to sift through a
> > myriad of privilege grants in what amounts to a time consuming trial and
> > error exercise until you've got them all?
> >
> > Or is there a single command that with just delete the role and do a
> > blanket grant removal at the same time?



pgsql-general by date:

Previous
From: James Brauman
Date:
Subject: Improve COPY performance into table with indexes.
Next
From: AC Gomez
Date:
Subject: Re: Backing out of privilege grants rabbit hole