| From: | Miles Elam <miles(dot)elam(at)productops(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PG-General Mailing List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: REVOKE DROP rights |
| Date: | 2019-09-11 20:45:05 |
| Message-ID: | CAALojA8jLVkTM0G-PgP4d6hAH-Jb2n2kM+sNrDd90ps2TzB3NQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Makes sense. Thanks!
On Wed, Sep 11, 2019 at 1:43 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Miles Elam <miles(dot)elam(at)productops(dot)com> writes:
> > Is there any way to prevent a user from dropping a table when that user
> has
> > create rights? I'd like to allow that user to be able to create and
> delete
> > their own tables but not specific shared tables.
>
> I think maybe you didn't read the manual closely. Creation privileges
> cover the right to create an object (in a given database or
> schema), but only the creator/owner has the right to drop a particular
> object once it exists.
>
> We do grant the owner of a schema or database the right to drop objects
> within it, since they could surely achieve that result by dropping the
> whole schema or database. But merely having create privilege doesn't
> extend to that.
>
> So basically you want a shared schema that is owned by some trusted
> role, and your less-trusted roles have create (and usage!) on that
> schema.
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2019-09-11 21:06:14 | Re: kind of a bag of attributes in a DB . . . |
| Previous Message | Tom Lane | 2019-09-11 20:43:32 | Re: REVOKE DROP rights |