* Manfred Koizar ([EMAIL PROTECTED]) wrote: > On Wed, 24 Aug 2005 07:01:00 +0200, Andreas Seltenreich > <[EMAIL PROTECTED]> wrote: > >However, a question arose quickly: According to the standard, revoking > >INSERT, UPDATE and DELETE after GRANT ALL PRIVILEGES would leave the > >relation read-only, but with the TRUNCATE privilege lying around, this > >would no longer be true for PostgreSQL. > > I'd say that the TRUNCATE privilege includes DELETE, so that REVOKE > DELETE implicitly revokes TRUNCATE and GRANT TRUNCATE implicitly > grants DELETE.
I disagree with implicitly granting/revokeing. Rather, if we're going to go this route, we should require both DELETE and TRUNCATE rights on the object in order to TRUNCATE it but otherwise have TRUNCATE privileges and DELETE privileges be distinct from each other in terms of being granted/revoked. This follows the SELECT/UPDATE relationship. Granting UPDATE doesn't implicitly grant SELECT, and revoking SELECT doesn't implicitly revoke UPDATE; but in order to actually UPDATE you need SELECT rights. Thanks, Stephen
signature.asc
Description: Digital signature