Ron <ronljohnsonjr@gmail.com> writes:
> On 11/4/23 16:53, Peter J. Holzer wrote:
>> This doesn't answer the question why ALTER TABLE privilege would be
>> required.
> I bet the Good Idea Fairy whispered something into the CISO's ear.
Yeah. This is blatantly obviously the brainchild of some person
with no actual experience in fulfilling the roles they want to
circumscribe.
Having said that, maybe:
* Role foo_owner actually owns the tables, but revokes its own
DML privileges (select etc)
* Role foo_app is granted foo_owner so it can do DDL on the
tables, and is also granted DML privileges on the tables
* Role foo_dba is granted foo_owner but not DML privileges.
This is, of course, trivially breakable by any foo_dba who
doesn't want to play by the rules, but as long as you log
DDL there will at least be log traces that she did so.
regards, tom lane