Re: security permissions for functions

Rikard Pavelic wrote:
> Tom Lane wrote:
>> No, it's operating as designed. Per the GRANT reference page:
>> : Depending on the type of object, the initial default privileges may
>> : include granting some privileges to PUBLIC. The default is no public
>> : access for tables, schemas, and tablespaces; CONNECT privilege and TEMP
>> : table creation privilege for databases; EXECUTE privilege for
>> functions;
>> : and USAGE privilege for languages. The object owner may of course
>> revoke
>> : these privileges. (For maximum security, issue the REVOKE in the same
>> : transaction that creates the object; then there is no window in which
>> : another user may use the object.)
>>
>> You'll need to revoke the default public EXECUTE privilege on any
>> functions you don't want to be callable.
>>
>> regards, tom lane
>>
>
> Hmm, so the answer to my question
> "How can I assign execute permission to a role for a single function
> inside schema."
> is I can't?

You can but the default is to allow the execution of all functions.

You need to revoke the existing permission of executing all functions
before you can allow only a single function to be run.

If you want a specific function to be accessed only by selected roles
then you revoke public access when you create it and allow access to the
one or more roles you want to allow access.

--

Shane Ambler
pgSQL(at)Sheeky(dot)Biz

Get Sheeky @ http://Sheeky.Biz