Jim,

* Jim Nasby (jim.na...@bluetreble.com) wrote:
> On 3/3/15 5:22 PM, Stephen Frost wrote:
> >The
> >problem with the role attribute approach is that they aren't inheirted
> >the way GRANTs are, which means you can't have a "backup" role that is
> >then granted out to users, you'd have to set a "BACKUP" role attribute
> >for every role added.
> 
> Yeah, but you'd still have to grant "backup" to every role created
> anyway, right?

Yes, you would.

> Or you could create a role that has the backup attribute and then
> grant that to users. Then they'd have to intentionally SET ROLE
> my_backup_role to elevate their privilege. That seems like a safer
> way to do things...

This is already possible with the GRANT system- create a 'noinherit'
role instead of an 'inherit' role.  I agree it's safer to require a
'SET ROLE' and configure all of my systems with a noinherit 'admin'
role.

        Thanks!

                Stephen

Attachment: signature.asc
Description: Digital signature

Reply via email to