| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Guillaume Lelarge <guillaume(at)lelarge(dot)info> |
| Cc: | etienne(dot)decherf-ext(at)aphp(dot)fr, pgsql-sql <pgsql-sql(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: multiple roles for a user ? |
| Date: | 2018-11-05 15:08:45 |
| Message-ID: | CAKFQuwbiFuVbAti8udw+O1O-WHiHnBJD=Fkj-79WKpCqRdrb0w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Mon, Nov 5, 2018 at 6:25 AM Guillaume Lelarge <guillaume(at)lelarge(dot)info> wrote:
>
> Le lun. 5 nov. 2018 à 12:15, DECHERF Étienne <etienne(dot)decherf-ext(at)aphp(dot)fr> a écrit :
>>
>> 2. plus a role "Role_user" particular for each of them for its additional personal access
>>
>> with "grants" and "revokes" on other tables and columns.
>> Yes, though you can only grant privileges this way. Not revoke some.
Phrased differently, "REVOKE" removes a previously GRANT'd permission;
it does not setup a "denial of permission". The permission system in
PostgreSQL is purely additive - roles start with zero permissions are
strictly granted the ability to do things. You have to revoke
permissions where they are granted originally when inheritance is in
play.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Gierth | 2018-11-05 17:51:19 | Re: Regular Expressions |
| Previous Message | Guillaume Lelarge | 2018-11-05 13:25:12 | Re: multiple roles for a user ? |