From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: improve predefined roles documentation |
Date: | 2024-06-25 16:16:30 |
Message-ID: | CA+TgmoYTNH4kkwBF_WGp7wsuS8Yx9undYt80gBcjAV+BKUFBxQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Jun 25, 2024 at 11:35 AM Nathan Bossart
<nathandbossart(at)gmail(dot)com> wrote:
> IIUC the intent of this is to expand on the following sentence in the
> existing docs:
>
> pg_database_owner cannot be a member of any role, and it cannot have
> non-implicit members.
>
> My instinct would be to do something like this:
>
> pg_database_owner cannot be granted membership in any role, and no role
> may be granted non-implicit membership in pg_database_owner.
But you couldn't grant someone implicit membership either, because
then it wouldn't be implicit. So maybe something like this:
pg_database_owner is a predefined role for which membership consists,
implicitly, of the current database owner. It cannot be granted
membership in any role, and no role can be granted membership in
pg_database_owner. However, like any role, it can own objects or
receive grants of access privileges. Consequently, once
pg_database_owner has rights within a template database, each owner of
a database instantiated from that template will exercise those rights.
Initially, this role owns the public schema, so each database owner
governs local use of the schema.
--
Robert Haas
EDB: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Nathan Bossart | 2024-06-25 16:28:18 | Re: improve predefined roles documentation |
Previous Message | Noah Misch | 2024-06-25 16:10:06 | Re: Injection point locking |