Thread: Authorized privileges when calling a procedure

Hi,

I have another question. It appears that when you create a procedure and grant access on it to another user, the user must have privileges to all objects that the procedure references. Can someone confirm this, and is there a way to change the privilege authorization to the user that defined the procedure?

Thanks in advance,

Jed S. Walker

"Walker, Jed S" <Jed_Walker@cable.comcast.com> writes:
> I have another question. It appears that when you create a procedure and
> grant access on it to another user, the user must have privileges to all
> objects that the procedure references. Can someone confirm this, and is
> there a way to change the privilege authorization to the user that defined
> the procedure?

Mark the function as SECURITY DEFINER --- this is like setuid programs
in Unix.

(No, it's not a very intuitive label for the behavior, but it's what
the SQL spec says to use.)

            regards, tom lane

Great, that's exactly what I need.

Thanks!

-----Original Message-----
From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
Sent: Friday, April 22, 2005 9:04 AM
To: Walker, Jed S
Cc: 'pgsql-novice@postgresql.org'
Subject: Re: [NOVICE] Authorized privileges when calling a procedure

"Walker, Jed S" <Jed_Walker@cable.comcast.com> writes:
> I have another question. It appears that when you create a procedure
> and grant access on it to another user, the user must have privileges
> to all objects that the procedure references. Can someone confirm
> this, and is there a way to change the privilege authorization to the
> user that defined the procedure?

Mark the function as SECURITY DEFINER --- this is like setuid programs in
Unix.

(No, it's not a very intuitive label for the behavior, but it's what the SQL
spec says to use.)

            regards, tom lane