Обсуждение: ERROR: must be owner of table - ALTER TABLE
Hi
Is there no other option to grant a user ALTER TABLE privilege except doing the grant <owner> to <user>/<role> :-)
I can understand it is not really ideal to grant access for the user to do ALTER TABLE, this is mainly for the TEST environment while the developers are doing their testing.
For Qual and PROD, it will be restricted to either the owner or users with superuser privileges.
Any advice is much appreciated. Thanks in advance.
Regards,
Ed
On Sat, May 18, 2024 at 6:17 AM Edwin UY <edwin.uy@gmail.com> wrote:
HiIs there no other option to grant a user ALTER TABLE privilege except doing the grant <owner> to <user>/<role> :-)I can understand it is not really ideal to grant access for the user to do ALTER TABLE, this is mainly for the TEST environment while the developers are doing their testing.For Qual and PROD, it will be restricted to either the owner or users with superuser privileges.Any advice is much appreciated. Thanks in advance.
"The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked. (However, a similar effect can be obtained by granting or revoking membership in the role that owns the object; see below.) The owner implicitly has all grant options for the object, too."
On Saturday, May 18, 2024, Edwin UY <edwin.uy@gmail.com> wrote:
HiIs there no other option to grant a user ALTER TABLE privilege except doing the grant <owner> to <user>/<role> :-)I can understand it is not really ideal to grant access for the user to do ALTER TABLE, this is mainly for the TEST environment while the developers are doing their testing.For Qual and PROD, it will be restricted to either the owner or users with superuser privileges.Any advice is much appreciated. Thanks in advance.
Users, i.e., roles with login attribute, should not be given direct ownership. Group roles should be given ownership. Then in each database the users can be added as members of those group roles, or not, as needed. Or, on a developer’s machine where they are actually writing code, they just get superuser. But for all other environments they stash the alter commands they need into the schema migration tool scripts in the VCS and the schema migration tool logs on using a role granted member in the owning role and runs the scripts.
David H.