Re: Role Permissions

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Craig" <postgresql(at)bryden(dot)co(dot)za>
Cc: "PG-General" <pgsql-general(at)postgresql(dot)org>
Subject: Re: Role Permissions
Date: 2006-01-07 17:26:38
Message-ID: 29427.1136654798@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"Craig" <postgresql(at)bryden(dot)co(dot)za> writes:
> I am trying to prevent anyone that inhertis from role1 to not be able to =
> select from any database table, unless they execute a function that I =
> have provided. How do I setup the security for this?=20

You need to mark the function as SECURITY DEFINER, which means that it
runs with its creator's permissions. By default a function runs with
the caller's permissions.

(Yeah, SECURITY DEFINER is a pretty obscure name for this. It's what
the SQL spec requires though :-()

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2006-01-07 17:59:19 Re: E-mail harvesting on PG lists?
Previous Message Magnus Hagander 2006-01-07 17:22:46 Re: E-mail harvesting on PG lists?