On Tue, Jul 7, 2009 at 4:16 PM, Tom Lane<tgl@sss.pgh.pa.us> wrote:
>
>> (I'm sure we can do something intelligent with privileges that don't
>> apply to all object types rather than just fail. e.g. UPDATE privilege
>> should be same as USAGE on a sequence.)
>
> Anything you do in that line will be an ugly kluge, and will tend to
> encourage insecure over-granting of privileges (ie GRANT ALL ON ALL
> OBJECTS ... what's the point of using permissions at all then?)
That seems a bit pessimistic. While I disagree with Simon's rule I
think you can get plenty of mileage out of a more conservative rule of
just granting the privilege to all objects for which that privilege is
defined. Especially when you consider that we allow listing multiple
privileges in a single command.
--
greg
http://mit.edu/~gsstark/resume.pdf
