Thread: Question on roles and privileges
Hello All,
And I understand pg_monitor role wraps up most of the key read only privileges within it to work on performance issues and also its a readonly privilege only. So I wanted to know from experts here , if it's true and pg_monitor role will suffice for all the above work?
We want to make sure to keep minimal privileges for the users based on their roles and responsibility. We have one user group who will be working on analyzing/debugging into performance issues in the databases. Basically this group will be operating on extensions like apg_plan_management, pg_hint_plan, auto_explain, plprofiler, pg_repack. So these extensions will already be installed for the group, but they will just need to use those appropriately. For example pg_hint_plan will not need any write privilege because the user just has to put the hint in the query and run it to see any performance variation.
So like that , what kind of minimal privileges will each of these extensions need to make them work for this performance group? Basically if any of these will need write privilege or all works can be performed using Readonly roles/privilege only?
So like that , what kind of minimal privileges will each of these extensions need to make them work for this performance group? Basically if any of these will need write privilege or all works can be performed using Readonly roles/privilege only?
And I understand pg_monitor role wraps up most of the key read only privileges within it to work on performance issues and also its a readonly privilege only. So I wanted to know from experts here , if it's true and pg_monitor role will suffice for all the above work?
Regards
Yudhi
For the initial installation the extensions may need superuser privileges.
On Fri, May 10, 2024 at 10:04 AM yudhi s <learnerdatabase99@gmail.com> wrote:
Hello All,We want to make sure to keep minimal privileges for the users based on their roles and responsibility. We have one user group who will be working on analyzing/debugging into performance issues in the databases. Basically this group will be operating on extensions like apg_plan_management, pg_hint_plan, auto_explain, plprofiler, pg_repack. So these extensions will already be installed for the group, but they will just need to use those appropriately. For example pg_hint_plan will not need any write privilege because the user just has to put the hint in the query and run it to see any performance variation.
So like that , what kind of minimal privileges will each of these extensions need to make them work for this performance group? Basically if any of these will need write privilege or all works can be performed using Readonly roles/privilege only?
And I understand pg_monitor role wraps up most of the key read only privileges within it to work on performance issues and also its a readonly privilege only. So I wanted to know from experts here , if it's true and pg_monitor role will suffice for all the above work?RegardsYudhi
On Fri, May 10, 2024 at 11:31 AM Lok P <loknath.73@gmail.com> wrote:
For the initial installation the extensions may need superuser privileges.
Thank you. Yes, I got it. For the initial installation for the extensions ,it will need super user privilege. But once that is done for the day to day use , does these extensions need any write/execute privileges or readonly privileges is enough? and if any readymade role available through with all these are catered?