Pallav Kalva <pkalva@deg.cc> writes:
> usps=> \z citystate_alias
> Access privileges
> for database "usps"
> Schema | Table
> | Access privileges
>
--------+-----------------+-----------------------------------------------------------------------------------------------------------------------
> public | citystate_alias |
> {postgres=a*r*w*d*R*x*t*/postgres,=r/postgres,usps=arwdRxt/postgres,"group
> 100=r/usps","group ea_development=r/usps"}
> (1 row)
It looks to me like (a) this table is owned by postgres not usps, and
(b) postgres has granted SELECT permission to PUBLIC (that's what the
"=r/postgres" part means). The usps user isn't going to be able to
revoke that because he doesn't own the table.
It does seem like you've found a bug of some kind though: the above
shows that user usps does not have GRANT OPTION rights of any kind
(there are no stars in his privilege list). So how was he able to grant
SELECT rights to those two groups? Do you have the exact sequence of
GRANT and REVOKE operations that were performed on this table? What
PG version is this, exactly?
regards, tom lane
