On May23, 2012, at 00:21 , Josh Berkus wrote: >> If you could help me work out the semantics and the high-level issues, >> I'd love to spend time on this for 9.3... > > Syntax seems simple: CREATE LOCAL ROLE ... > > For that matter, let's keep other things simple: > > 1. local roles can inherit only from other local roles > 2. global roles can inherit only from other global roles > 3. only a global role can be a database owner
+1 to (2) and (3). If we do (1), we need to allow granting privileges on global objects (think tablespaces) to local roles. Otherwise, how would you make a tablespace usable to a certain local role? That, however, seems difficult, because we wouldn't want local role OIDs to appear in pg_tablespace's spacl column. If we, OTOH, allowed local roles to inherit from global roles, we could still forbit such GRANTs. One would then simply have to create a global proxy role which has the necessary privileges, and which local roles would inherit from instead of being granted the privileges directly. Allowing (1) doesn't seem that hard, because it just requires us to be able to store dependencies of local roles on global roles, which pg_shdepend already (almost, we'd probably need to add deptype SHARED_DEPENDENCY_MEMBER) support. best regards, Florian Pflug -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
