On 12/15/2014 02:43 AM, Marko Tiikkaja wrote:
> This week I had a problem where I wanted to drop only the privileges a
> certain role had in the system, while keeping all the objects. I
> couldn't figure out a reasonable way to do that, so I've attached a
> patch for this to this email. Please consider it for inclusion into
> 9.5. The syntax is:
>
> DROP PRIVILEGES OWNED BY role [, ...]
>
> I at some point decided to implement it as a new command instead of
> changing DropOwnedStmt, and I think that might have been a mistake. It
> might have made more sense to instead teach DROP OWNED to accept a
> specification of which things to drop. But the proposal is more
> important than such details, I think.
DROP seems like the wrong verb here. DROP is used for deleting objects,
while REVOKE is used for removing permissions from them. REVOKE already
has something similar:
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM heikki;
Following that style, how about making the syntax:
REVOKE ALL PRIVILEGES ON ALL OBJECTS FROM <role>
or just:
REVOKE ALL PRIVILEGES FROM <role>;
- Heikki