Re: Role for just read the data + avoid CREATE / ALTER / DROP

Поиск
Список
Период
Сортировка
От David G. Johnston
Тема Re: Role for just read the data + avoid CREATE / ALTER / DROP
Дата
Msg-id CAKFQuwYa-rS2vUq8kvbB+UjJEvttv1LYqzhmV4jJyYbxCRZT2w@mail.gmail.com
обсуждение исходный текст
Ответ на Role for just read the data + avoid CREATE / ALTER / DROP  (Durumdara <durumdara@gmail.com>)
Список pgsql-general
Дерево обсуждения
On Friday, August 25, 2023, Durumdara <durumdara@gmail.com> wrote:

I don't understand why these commands don't work?!

REVOKE CREATE ON SCHEMA public FROM u_tdb_ro;
REVOKE CREATE ON DATABASE tdb FROM u_tdb_ro;
REVOKE CREATE ON TABLESPACE pg_default FROM u_tdb_ro;

Because at no point has the system ever actually granted those specific permissions to that specific role.  When you revoke something it has to have been previously granted.  The underlying complication is permission inheritance.  You need to know where in the inheritance chain a permission originates in order to know your options for removing it.  In this case the grant to the public group that all roles are a member of.

David J.

В списке pgsql-general по дате отправления:

Предыдущее
От: Thomas Kellerer
Дата:
Сообщение: Re: Role for just read the data + avoid CREATE / ALTER / DROP
Следующее
От: Luca Ferrari
Дата:
Сообщение: Re: ora2pg -c ora2pg.conf -t COPY -a tablename not working properly