Home > mailing lists

Re: [GENERAL] Define permissions at database level - Mailing list pgsql-novice

From	dipti shah
Subject	Re: [GENERAL] Define permissions at database level
Date	February 18, 2010 06:24:09
Msg-id	d5b05a951002180223m2ccc12b7p19150bfe571b8803@mail.gmail.com Whole thread Raw
In response to	Define permissions at database level (dipti shah <shahdipti1980@gmail.com>)
List	pgsql-novice

Tree view

Thanks Richard. That makes sense. If I want to restrict DROP for any table then do I need to REVOKE permissions individually on tables.

Revoke DROP ON MyTable from PUBLIC;

I want to avoid doing it so I am wondering if I can define/grant the permission at database level so that nousers can directly use any commands like CREATE, UPDATE, ALTER or DROP. They have to use stored procedure. They can only use SELECT. Nothing else.

Thanks,

Dipti.

On Thu, Feb 18, 2010 at 3:34 PM, Richard Huxton <dev@archonet.com> wrote:

On 18/02/10 08:53, dipti shah wrote:
Hi,

Is it possible to define the permissions at database level such that no
users(except postgres) can execute DROP, ALTER, TRUNCATE commands directily?
Users have to use the given stored procedures.

1. Place users into appropriate groups (makes it easier to manage later). Note that groups and users are actually both just roles.

2. Use GRANT/REVOKE to restrict what those users can do.

3. Write your "alter table" function owned by user "postgres" and make sure it's marked "SECURITY DEFINER".

http://www.postgresql.org/docs/8.4/static/user-manag.html
http://www.postgresql.org/docs/8.4/static/sql-createfunction.html

--
Richard Huxton
Archonet Ltd

pgsql-novice by date:

From: Jayadevan M
Date: 18 February 2010, 06:16:28
Subject: Re: How to select all columns and insert into other table

From: Didier Gasser-Morlay
Date: 18 February 2010, 10:53:33
Subject: reporting and transposition

Re: [GENERAL] Define permissions at database level - Mailing list pgsql-novice

Previous

Next