Re: Rolls - Mailing list pgsql-general

From David G. Johnston
Subject Re: Rolls
Date
Msg-id CAKFQuwaW4YepmoGe4p_H9S4WZZoNVVNkACecfEAfAt0msnBmVw@mail.gmail.com
Whole thread Raw
In response to Rolls  (Andrew Bartley <ambartley@gmail.com>)
List pgsql-general
On Thursday, February 1, 2018, Andrew Bartley <ambartley@gmail.com> wrote:
Hi all,

I am trying to work out a way to create a roll/user that can only execute one particular function and nothing else.  The particular function has been created with "SECURITY DEFINER".

Never tried it but "REVOKE PUBLIC FROM role" then "GRANT ... TO role" would ideally work.

Not simple since every role is a member of PUBLIC from which they all inherit useful defaults.  You can remove those defaults and the already granted privileges from PUBLIC and then add them back to some super-role group that everyone but this user belongs too.  Then only add the one grant you desire to this user.

David J.

pgsql-general by date:

Previous
From: Andrew Bartley
Date:
Subject: Re: Rolls
Next
From: raf@raf.org
Date:
Subject: Re: Recreating functions after starting the database server.