Re: (Default) Group permissions - Mailing list pgsql-general

From Albe Laurenz
Subject Re: (Default) Group permissions
Date
Msg-id A737B7A37273E048B164557ADEF4A58B17BC2D34@ntex2010a.host.magwien.gv.at
Whole thread Raw
In response to Re: (Default) Group permissions  (Michael Orlitzky <michael@orlitzky.com>)
Responses Re: (Default) Group permissions
List pgsql-general
Michael Orlitzky wrote:
> I want to be able to create a database, set up the (default) group
> permissions, and have them work, even when a new user is added to one of
> the groups. Right now I don't know of a way to get default group
> permissions.

There is none, as far as I can say.

You have two options:
- You have the default privileges on the roles, and every user
  has to run SET ROLE to the role before he or she creates objects.
- Whenever you create a new user, you set default privileges
  for the user.

I guess that the first solution is not useful until there are
event triggers for database logins.

> The example I came up with requires two groups, and five users (two in
> each group):

[...]
 
> If I could set up a database with (default) permissions that worked this
> way, I'd be happy.
> 
> Right now, I can get it working temporarily with a huge mess of scripts,
> but if another customer-dev gets added, I have to hop in as the
> superuser and run O(n) commands again, where n is either the number of
> databases or number of users (depending on which solution you choose).

I guess I can think of no better way to do it.
I'd try to automatize the process as much as possible, e.g. by
writing functions that create users and automatically set all the
necessary default privileges.

Yours,
Laurenz Albe

pgsql-general by date:

Previous
From: Luca Ferrari
Date:
Subject: Re: What is the difference between cmin and cmax
Next
From: Daniel Blanco
Date:
Subject: Re: PostgreSQL archiving last replayed WAL after recovery