On Mon, Nov 5, 2018 at 6:25 AM Guillaume Lelarge <guillaume@lelarge.info> wrote:
>
> Le lun. 5 nov. 2018 à 12:15, DECHERF Étienne <etienne.decherf-ext@aphp.fr> a écrit :
>>
>> 2. plus a role "Role_user" particular for each of them for its additional personal access
>>
>> with "grants" and "revokes" on other tables and columns.
>> Yes, though you can only grant privileges this way. Not revoke some.
Phrased differently, "REVOKE" removes a previously GRANT'd permission;
it does not setup a "denial of permission". The permission system in
PostgreSQL is purely additive - roles start with zero permissions are
strictly granted the ability to do things. You have to revoke
permissions where they are granted originally when inheritance is in
play.
David J.