On Fri, 28 Aug 2020 at 08:43, Stephen Frost <sfr...@snowman.net> wrote:
> This would simply REVOKE that role from the user. Privileges > independently GRANT'd directly to the user wouldn't be affected. Nor > would other role membership. > > > What privileges would the user be left with? Would it be possible to end > up in the same privilege only with a GRANT command? > What about: REVOKE SELECT ON [table] FROM pg_read_all_data; I guess what I’m really asking is whether pg_read_all_data is automatically granted SELECT on all newly-created relations, or if the permission checking system always returns TRUE when asked if pg_read_all_data can select from a relation? I’m guessing it’s the latter so that it would be ineffective to revoke select privilege as I think this is more useful, but I’d like to be sure and the documentation should be explicit on this point.