On Wed, Aug 5, 2009 at 3:40 PM, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> I have one database that is set up with a reporting user (read only on
>> everything). It requires constant maintenance. Every time an object
>> is added or deleted (or dropped and recreated, like a view, which I do
>> ALL THE TIME to work around the inability to add/remove columns) the
>> permissions get shot to hell. I finally crontabbed a script that
>> fixes it every 20 minutes. I had another database where I tried to do
>> some real permission separation and it was just a huge pain in the
>> ass.
>
>> Grant on all isn't gonna fix these problems completely, but it's a
>> start. The DefaultACL stuff is another important step in the right
>> direction.
>
> Seems like default ACLs, not grant-on-all, is what you want for that.
Well, that helps with the maintenance, but you also have to set it up
initially. There were already 100+ objects in the schema at the time
the reporting user was created.
...Robert