"David Johnston" <polobo@yahoo.com> writes:
> [mailto:pgsql-general-owner@postgresql.org] On Behalf Of Vincent de Phily
>> [ this doesn't do anything: ]
>> db_foo=# REVOKE CREATE ON SCHEMA public FROM foouser;
> "foouser" is obtaining its permission to "CREATE" on the "public " schema
> via global/PUBLIC permissions (i.e., via inheritance). Revoking only
> removes an explicitly granted permission but does not institute a block for
> an inherited permission. You would need to revoke the global permission to
> CREATE on "public" and then only GRANT it back to those users/roles that you
> wish to have it - all others will then effectively lose that ability.
Correct. Note where it says in the GRANT manual page that a user's
effective rights are the sum of those granted to PUBLIC, those granted
directly to him, and those granted to roles he is a member of. Rights
granted to PUBLIC are available to everybody, full stop, and can't be
selectively blocked.
regards, tom lane
