Petr Jelinek <pjmodos@pjmodos.net> writes:
> That's how it works now actually, the problem is that when you grant
> something in the chain you can't revoke it anywhere else in the chain
> when you are merging privileges as you proposed.
To allow that, you have to have some notion of a priority order among
the available defaults, so that you can sensibly say that A should
override B. Which is easy as long as they've got hierarchical scopes,
but that doesn't seem like a restriction that will hold good for future
extensions.
regards, tom lane