| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ron Johnson <ron(dot)l(dot)johnson(at)cox(dot)net> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Ability to create tables |
| Date: | 2018-03-09 23:46:15 |
| Message-ID: | 27665.1520639175@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Ron Johnson <ron(dot)l(dot)johnson(at)cox(dot)net> writes:
> Even though I revoked the CREATE priv on role ABCREADONLY, it's still able
> to create tables. What can I do to prevent this?
> $ psql -c 'revoke create on database "ABC123" from "ABCREADONLY";'
That revokes the ability to create new schemas within that database
(which I suspect the role did not have anyway). What you need is
to remove its ability to create objects within the public schema
within that database. By default, that ability is granted to PUBLIC,
so that "revoke create on schema public from "ABCREADONLY";" won't
help either. What you have to do is "revoke create on schema public
from public", and then grant it back to just the roles that should have
it.
If you don't want the role creating temp tables either, you need to
revoke its TEMP right on the database (which *is* a database-level
privilege). Again, this'll involve disallowing that to PUBLIC,
since that default grant is how it's getting the privilege.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron Johnson | 2018-03-10 00:10:47 | Re: Ability to create tables |
| Previous Message | Ron Johnson | 2018-03-09 23:13:48 | Ability to create tables |