Re: database specific pg_read_all_data / pg_write_all_data

On Tue, 2025-12-09 at 16:13 -0500, richard coleman wrote:
> In PostgreSQL 16+ the built in roles such as pg_read_all_data and pg_write_all_data are a welcome addition to
permissionsetting in PostgreSQL. 
>
> Unfortunately they appear to be server-wide roles.
>
> Woud it be possible to have roles like these that are database specific?
>
> If there are 100 databases on a server, it would be extremely helpful to be able to do something like:
>
> grant pg_read_all_data on database foo to user_role;
>
> Otherwise these roles are unusable from a practical stand point on servers with multiple unrelated databases.

I think they were mostly added for compatibility with Microsoft SQL Server,
if I remember correctly.

I suggest creating roles named "readonly_dbname" for each database with
the appropriate privileges and assigning those.

A different approach would be to use different database clusters for different
databases.

Yours,
Laurenz Albe