Re: security permissions for functions

In response to Rikard Pavelic <rikard(dot)pavelic(at)zg(dot)htnet(dot)hr>:

> Tom Lane wrote:
> > No, it's operating as designed. Per the GRANT reference page:
> > : Depending on the type of object, the initial default privileges may
> > : include granting some privileges to PUBLIC. The default is no public
> > : access for tables, schemas, and tablespaces; CONNECT privilege and TEMP
> > : table creation privilege for databases; EXECUTE privilege for functions;
> > : and USAGE privilege for languages. The object owner may of course revoke
> > : these privileges. (For maximum security, issue the REVOKE in the same
> > : transaction that creates the object; then there is no window in which
> > : another user may use the object.)
> >
> > You'll need to revoke the default public EXECUTE privilege on any
> > functions you don't want to be callable.
>
> Hmm, so the answer to my question
> "How can I assign execute permission to a role for a single function
> inside schema."
> is I can't?

How did you interpret "do it like this" to mean "you can't do it"?

REVOKE ALL ON <function name> FROM PUBLIC;

> So this basically means that I can't fine tune the permissions through
> functions, but I
> can through views and tables?
> This looks like a bug in design to me ;(

Relax. You (somehow) misunderstood Tom.

--
Bill Moran
http://www.potentialtech.com