Skip site navigation (1) Skip section navigation (2)

Re: the "users" group and restricting privileges

From: "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>
To: Dan Tenenbaum <dandante(at)gmail(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: the "users" group and restricting privileges
Date: 2005-11-30 00:13:04
Message-ID: 20051130001304.GV78939@pervasive.com (view raw or flat)
Thread:
Lists: pgsql-admin
On Tue, Nov 29, 2005 at 03:30:33PM -0800, Dan Tenenbaum wrote:
> I want to create a postgresql user with restricted permissions--all it
> should be able to do is select on a few views that I specify.
> 
> So I did the following, as the database owner:
> create user viewer password 'xxxx';
> grant select on myview to viewer;
> 
> Then, when I start psql as the viewer user, specifying the same database
> with the -d switch, I try this:
> select * from myview;
> and get this:
> ERROR: permission denied for schema myschema
> What do I need to do to get the correct permissions?

GRANT USAGE ON SCHEMA myschema TO viewer;

> Also, there is a group called "users" and the database owner is in that
> group. But I have not granted any explicit privileges to that group. And the
> database is owned by a particular user, not a group. However, I notice that
> when I added the "viewer" user to the "users" group, that the user seemed to
> be able to do everything that the database owner could do. That is not what
> I want. But the above (not being able to select a view that I thought I had
> select permission for) is not what I want either.
> 
> The above paragraph would seem to suggest that a group called "users" has
> some special properties. I could not find any documentation for that in the
> postgres docs (I am using version 7.4). Perhaps I couldn't find it because
> almost every page in the docs seems to have the word "users" in it, so it is
> hard to disambiguate my search.
> If someone could point me towards documentation of the special properties of
> the "users" group that would be helpful...but the thing I most want help
> with is creating a user with restricted views as described above.

There is no default users group, only PUBLIC (which isn't really a group
in the system afaict).

If you install newsysviews (http://pgfoundry.org/projects/newsysviews/)
you can query pg_user_grants to help diagnose where the permissions are
comming from. Or you could use a big, hairy query to do it...
-- 
Jim C. Nasby, Sr. Engineering Consultant      jnasby(at)pervasive(dot)com
Pervasive Software      http://pervasive.com    work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf       cell: 512-569-9461

In response to

pgsql-admin by date

Next:From: Tom LaneDate: 2005-11-30 00:21:31
Subject: Re: the "users" group and restricting privileges
Previous:From: Dan TenenbaumDate: 2005-11-29 23:30:33
Subject: the "users" group and restricting privileges

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group