On 08/28/2012 09:09 PM, Craig Ringer wrote:
> On 08/29/2012 01:25 AM, David Fetter wrote:
>> Folks,
>>
>> There are situations where a "default deny" policy is the best fit.
>>
>> To that end, I have a modest proposal:
>>
>> REVOKE PUBLIC FROM role;
>>
>> Thenceforth, the role in question would only have access to things it
>> was specifically granted.
>
> Wouldn't that render the user utterly unable to do anything until you
> added a bunch of GRANTs on the system catalogs for that user or a
> group they're a member of?
No.
Try it and see. You can do a lot without having any access rights at all
to the catalog tables.
cheers
andrew