I am implementing the grant option feature which enables an object owner to allows others to re-grant privileges. For REVOKE you can specify CASCADE and privileges granted in this manner are revoked recursively.
Currently, I have made it so that you can only give grant options to users, not groups. The problem is that when a user has granted privileges having had the grant option through a group and is later removed from the group then the privileges should be revoked, but the old problem is that it's not possible to do this in all databases. I have extended the aclitem external format as follows: grantee=a*bc*/grantor means the "a" and "c" privileges are held with grant option (the letters are just examples), and the whole thing was granted by the given grantor. (You can hold the same privilege many times granted by different users.) What are the requirements for backward compatibility here? If the "*" are missing then the privilege is held without grant option which is currently the default. If the "/grantor" portion is missing then it's assumed to be equivalent to the grantee. This makes sense in a limited number of cases. One would like to have the object owner as the default but the "aclitemout" function doesn't have information about that. I noted three undocumented SQL function operating on ACLs: aclinsert, aclremove, aclcontains. What are those intended for? How should they maintain the integrity of the ACL that is ensured by cascading revoke? In order to query the availability of a grant option I would like to extend the has_foo_privilege family of functions so that they can take as the privilege type argument, say, 'UPDATE WITH GRANT OPTION' instead of 'UPDATE'. In order to be able to represent the grantee/grantor relationship in the information schema I also need a function has_foo_privilege_granted_by(grantee, objectid, priv, grantor). Comments? -- Peter Eisentraut [EMAIL PROTECTED] ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html