Thread: Deny creation of tables for a user
Hello I am playing with security in Postgres And I would like to have a database that can be managed by a given user that could do almost anything but I would also have a user that can just handle what is created. I mean she could insert, update delete rows but not create tables. I did not find a way to revoke such thing. Is it possible ? Thanks!
On Wednesday 23 April 2008 06:46, Pascal Cohen wrote: > Hello > I am playing with security in Postgres > And I would like to have a database that can be managed by a given user > that could do almost anything but I would also have a user that can just > handle what is created. > I mean she could insert, update delete rows but not create tables. > > I did not find a way to revoke such thing. Is it possible ? > > Thanks! Have you looked at GRANT? http://www.postgresql.org/docs/8.3/interactive/sql-grant.html -- Terry Lee Tucker Turbo's IT Manager Turbo, division of Ozburn-Hessey Logistics 2251 Jesse Jewell Pkwy NE Gainesville, GA 30501 Tel: (336) 372-6812 Fax: (336) 372-6812 Cell: (336) 404-6987 terry@turbocorp.com www.turbocorp.com
Terry Lee Tucker wrote: > On Wednesday 23 April 2008 06:46, Pascal Cohen wrote: > >> Hello >> I am playing with security in Postgres >> And I would like to have a database that can be managed by a given user >> that could do almost anything but I would also have a user that can just >> handle what is created. >> I mean she could insert, update delete rows but not create tables. >> >> I did not find a way to revoke such thing. Is it possible ? >> >> Thanks! >> > > Have you looked at GRANT? > http://www.postgresql.org/docs/8.3/interactive/sql-grant.html > > Yes I did. In fact I looked at GRANT and REVOKE commands but I would like to define that a role r cannot create a new table and I did not find the way to do so. I can prevent him from inserting or updating in an existing table but not to create a new table
> Terry Lee Tucker wrote: > > On Wednesday 23 April 2008 06:46, Pascal Cohen wrote: > > > >> Hello > >> I am playing with security in Postgres > >> And I would like to have a database that can be managed by a given user > >> that could do almost anything but I would also have a user that can > just > >> handle what is created. > >> I mean she could insert, update delete rows but not create tables. > >> > >> I did not find a way to revoke such thing. Is it possible ? > >> > >> Thanks! > >> > > > > Have you looked at GRANT? > > http://www.postgresql.org/docs/8.3/interactive/sql-grant.html > > > > > Yes I did. > In fact I looked at GRANT and REVOKE commands but I would like to define > that a role r cannot create a new table and I did not find the way to do > so. > I can prevent him from inserting or updating in an existing table but > not to create a new table > It is handled at the schema level. If a user doesn't have create on any schemas, then the user can't create any tables. "For schemas, allows new objects to be created within the schema. To rename an existing object, you must own the object and have this privilege for the containing schema." You probably want to also "REVOKE ALL ON SCHEMA public FROM public;" so users can't create objects in that schema. Jon
Pascal Cohen wrote: > I am playing with security in Postgres > And I would like to have a database that can be managed by a given user > that could do almost anything but I would also have a user that can just > handle what is created. > I mean she could insert, update delete rows but not create tables. > > I did not find a way to revoke such thing. Is it possible ? The concept of the privilege system is that each database object determines what you can do with it (with an access control list). The owner of a database object can do everything with it. So I'd do it like this: Owning user (owns schema "myschema"): CREATE TABLE myschema.mytable (...); GRANT USAGE ON SCHEMA myschema TO bibi; GRANT INSERT, UPDATE, DELETE ON myschema.mytable TO bibi; Now user "bibi" can du exactly what you want. Yours, Laurenz Albe
"Roberts, Jon" <Jon.Roberts@asurion.com> writes:
> You probably want to also "REVOKE ALL ON SCHEMA public FROM public;" so
> users can't create objects in that schema.
More like REVOKE CREATE ..., unless your intent is also to deny access
to existing stuff in the public schema.
You'd also want to make sure the user doesn't have CREATE privilege
on the database, lest he create his own schema and then make tables
within that. (This is off by default, though.)
Lastly, if you don't want him creating even temp tables, you'd need to
revoke TEMP privilege on the database from public.
Having revoked all these privileges from public, you'd need to grant 'em
back to whichever individual users should have them.
regards, tom lane
Albe Laurenz wrote: > Pascal Cohen wrote: > >> I am playing with security in Postgres >> And I would like to have a database that can be managed by a given user >> that could do almost anything but I would also have a user that can just >> handle what is created. >> I mean she could insert, update delete rows but not create tables. >> >> I did not find a way to revoke such thing. Is it possible ? >> > > The concept of the privilege system is that each database object > determines what you can do with it (with an access control list). > > The owner of a database object can do everything with it. > > So I'd do it like this: > > Owning user (owns schema "myschema"): > > CREATE TABLE myschema.mytable (...); > GRANT USAGE ON SCHEMA myschema TO bibi; > GRANT INSERT, UPDATE, DELETE ON myschema.mytable TO bibi; > > Now user "bibi" can du exactly what you want. > > Yours, > Laurenz Albe > > Thanks all for your help. Your examples + re-reading the documentation made things clear to my mind. Thanks again!