Jeff Davis <pg...@j-davis.com> writes: > On Sun, 2009-06-28 at 14:32 -0400, Tom Lane wrote: >> Jeff Davis <pg...@j-davis.com> writes: >>> My idea is to have a "GRANT mask": >>> CREATE ROLE foo_ro GRANT (SELECT ON TABLE, USAGE ON SCHEMA) FROM foo; >> >> You haven't really explained what "foo" is here.
> I meant for "foo" to be a user. "foo_ro" would be the read-only version, > who has a strict subset of foo's permissions. I see. It seems like rather a complicated (and expensive) mechanism for a pretty narrow use-case. It'd only help for the cases where you could define your permissions requirements that way. I agree that there are some such cases, but I think real-world problems tend to be a bit more complicated than that. I fear people would soon want exceptions to the "strict subset" rule; and once you put that in, the conceptual simplicity disappears, as does the ability to easily verify what the set of GRANTs is doing. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers