Grant / Revoke functionality

Lists: pgsql-general
From: Alexander Priem <ap(at)cict(dot)nl>
To: pgsql-general(at)postgresql(dot)org
Subject: Grant / Revoke functionality
Date: 2004-02-18 08:08:32
Message-ID: 20040218080832.AA608D1DD26@svr1.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

<P>Hi guys,</P>
<P>I have a fairly big PostgreSQL 7.4.0 database running here and I am currently busy managing the rights of the different database users. I have a lot of tables, vieuws, sequences etc.</P>
<P>If I use Grant / Revoke to manage user rights, I have to name all of the different tables/views to grant or revoke a right. For instance, I cannot say something like 'Revoke Select on all tables' followed by 'Grant Select on all views' so users can only access data through views. There is only something like 'Grant Select on database xxx'...</P>
<P>Is there a way in which I can give rights to a user for a set of tables/views/sequences WITHOUT having to name all of the table/view/sequence names?</P>
<P>Thanks in advance.</P>
<P>Alexander Priem</P>

Attachment Content-Type Size
unknown_filename text/html 763 bytes
From: Shridhar Daithankar <shridhar(at)frodo(dot)hserus(dot)net>
To: Alexander Priem <ap(at)cict(dot)nl>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Grant / Revoke functionality
Date: 2004-02-18 08:45:49
Message-ID: 200402181415.36565.shridhar@frodo.hserus.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

On Wednesday 18 February 2004 13:38, Alexander Priem wrote:
> Is there a way in which I can give rights to a user for a set of
> tables/views/sequences WITHOUT having to name all of the
> table/view/sequence names?

You can use schemas. Just put everything under schema and grant user rights to
the schema...

HTH

Shridhar

From: Richard Huxton <dev(at)archonet(dot)com>
To: shridhar(at)frodo(dot)hserus(dot)net, Alexander Priem <ap(at)cict(dot)nl>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Grant / Revoke functionality
Date: 2004-02-18 09:54:48
Message-ID: 200402180954.48019.dev@archonet.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

On Wednesday 18 February 2004 08:45, Shridhar Daithankar wrote:
> On Wednesday 18 February 2004 13:38, Alexander Priem wrote:
> > Is there a way in which I can give rights to a user for a set of
> > tables/views/sequences WITHOUT having to name all of the
> > table/view/sequence names?
>
> You can use schemas. Just put everything under schema and grant user rights
> to the schema...

Also - have a look on techdocs.postgresql.org - before we had schemas someone
had written a plpgsql function to do wildcard matching of table names, also a
shell-script/perl iirc.

--
Richard Huxton
Archonet Ltd

From: Kris Jurka <books(at)ejurka(dot)com>
To: Shridhar Daithankar <shridhar(at)frodo(dot)hserus(dot)net>
Cc: Alexander Priem <ap(at)cict(dot)nl>, <pgsql-general(at)postgresql(dot)org>
Subject: Re: Grant / Revoke functionality
Date: 2004-02-19 05:35:33
Message-ID: Pine.LNX.4.33.0402190033160.3059-100000@leary.csoft.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

On Wed, 18 Feb 2004, Shridhar Daithankar wrote:

> On Wednesday 18 February 2004 13:38, Alexander Priem wrote:
> > Is there a way in which I can give rights to a user for a set of
> > tables/views/sequences WITHOUT having to name all of the
> > table/view/sequence names?
>
> You can use schemas. Just put everything under schema and grant user
> rights to the schema...
>

This is not accurate. The only schema level permissions are CREATE and
USAGE they are independent of the permissions on the objects contained
within. He would still need to grant access to the underlying objects.

Kris Jurka

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Kris Jurka <books(at)ejurka(dot)com>
Cc: Shridhar Daithankar <shridhar(at)frodo(dot)hserus(dot)net>, Alexander Priem <ap(at)cict(dot)nl>, pgsql-general(at)postgresql(dot)org
Subject: Re: Grant / Revoke functionality
Date: 2004-02-19 06:34:46
Message-ID: 29423.1077172486@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Kris Jurka <books(at)ejurka(dot)com> writes:
> On Wed, 18 Feb 2004, Shridhar Daithankar wrote:
>> You can use schemas. Just put everything under schema and grant user
>> rights to the schema...

> This is not accurate. The only schema level permissions are CREATE and
> USAGE they are independent of the permissions on the objects contained
> within. He would still need to grant access to the underlying objects.

Right, but he could grant the required rights to PUBLIC and rely on
schema-level USAGE to control whether particular users can actually
get at particular objects. It'd be a pretty coarse-grained structure,
but it might be good enough.

Personally I'd suggest looking at using groups ...

regards, tom lane

From: "Chris Ochs" <chris(at)paymentonline(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Grant / Revoke functionality
Date: 2004-06-04 05:50:06
Message-ID: 022701c449f7$ca4f4940$239b2904@chris2
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

> On Wed, 18 Feb 2004, Shridhar Daithankar wrote:
>
> > On Wednesday 18 February 2004 13:38, Alexander Priem wrote:
> > > Is there a way in which I can give rights to a user for a set of
> > > tables/views/sequences WITHOUT having to name all of the
> > > table/view/sequence names?
> >
> > You can use schemas. Just put everything under schema and grant user
> > rights to the schema...
> >
>
> This is not accurate. The only schema level permissions are CREATE and
> USAGE they are independent of the permissions on the objects contained
> within. He would still need to grant access to the underlying objects.
>
> Kris Jurka
>

If you need to do this for a lot of users use group permissions, it's a lot
easier to manage.

Chris