Greg,
> And there's "I just created a new table, I want "www" and
> "www-backend" to get their usual privileges without thinking about it.
> You want to be able to specify default grants that an object gets
> based on the schema? That seems mostly reasonable though it might be a
> good idea to have a WITH DEFAULT GRANTS or something like that on the
> CREATE statement so that the dba has to make it explicit.
Well, the idea is *user and schema*, not schema alone. I think Jeff's
proposal for users was user alone, unmodified by schema. I'd prefer to
reverse the switch (i.e. NO DEFAULT GRANTS) just because I'd like
default grants to work with ORMs and similar.
In other words, my/stephen's proposal amounts to the idea that objects
in a schema should, by default, be able to inherit permissions from
their schema at creation time.
>It does> seems slightly silly since surely anyone creating a new object would> just paste in their grants from another
objector some common source> anyways, but I suppose that's the way with convenience features.
That works fine until you have 6 (or more) defined roles and a couple
hundred objects, and are in a "agile" environment where the dev team is
constantly adding objects which have the wrong permissions. That's
whose problem I'm trying to solve (because they're my clients).
--
Josh Berkus
PostgreSQL Experts Inc.
www.pgexperts.com