> On Aug 7, 2020, at 1:32 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Yes, you are. It looks like what you actually issued is
>
> ALTER USER akanzler SET role confidential_read_only;
>
> but that would have the effect that subsequent session starts would
> automatically do "SET ROLE confidential_read_only".
AHA! This is the correct answer, and it is solved now.
I *know* I executed grant role properly--it's right there in the script.
However, I think that SET ROLE had been accidentally misused instead of GRANT <role> at some point in the past, *AND*
thatthe role contained privs to the user-specific schemas when it should not have. So revoking all privs from the role
andadding back the proper ones resulted in inadvertently removing privs from users who'd properly had them explicitly
granted.
(I've never even used SET ROLE and was unaware you could even do that!)
Anyway, thanks a million for being patient and sticking with this.