From: | "Pascal Tufenkji" <ptufenkji(at)usj(dot)edu(dot)lb> |
---|---|
To: | "'Shane Ambler'" <pgsql(at)Sheeky(dot)Biz> |
Cc: | <pgsql-sql(at)postgresql(dot)org> |
Subject: | Re: Postgres roles |
Date: | 2008-02-08 14:54:07 |
Message-ID: | 200802081442.m18Eg3F1025812@Citrus.usj.edu.lb |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
Hi Shane,
You are exactly right.
My issue is that, I now have one role called sti - that has carried the
group members from the old version -
So what do you think my options are, so I can separate them?
I have only one option in my mind:
- Revoke the members from the role sti
- Create a new role (that has rolcanlogin set to false) called
sti_group
- Assign the members to it
- Finally, fix all the permissions for all the tables (add the
permissions to the new group sti_group)
which seems like a huge amount of work.
In that case I'll be able to give permissions such as :
GRANT SELECT ON table TO sti_group;
GRANT SELECT,INSERT,UPDATE,DELETE ON table TO sti;
Is there a better solution ?
Pascal
-----Original Message-----
From: pgsql-sql-owner(at)postgresql(dot)org [mailto:pgsql-sql-owner(at)postgresql(dot)org]
On Behalf Of Shane Ambler
Sent: Friday, February 08, 2008 3:54 PM
To: ptufenkji(at)usj(dot)edu(dot)lb
Cc: pgsql-sql(at)postgresql(dot)org
Subject: Re: [SQL] Postgres roles
Pascal Tufenkji wrote:
> My questions are:
>
>
>
> 1. how do I identify the users assigned to this role :
> (in the older version)
> SELECT grolist from pg_group where groname = 'sti';
>
"The view pg_group exists for backwards compatibility: it emulates a
catalog that existed in PostgreSQL before version 8.1. It shows the
names and members of all roles that are marked as not rolcanlogin, which
is an approximation to the set of roles that are being used as groups."
Use pg_roles to get the user and group info. Use pg_auth_members to get
the list of members that belong to each group role.
(any role can be used for a group but it is usually a role that has
rolcanlogin set to false, and has members recorded in pg_auth_members)
http://www.postgresql.org/docs/8.2/interactive/user-manag.html
can explain it better - or more specifically
http://www.postgresql.org/docs/8.2/interactive/role-membership.html
>
> 2. how do I differ granting permissions on a table to the user sti
from
> the whole members of the group sti
> (in the older version)
> GRANT SELECT ON table TO group sti;
> GRANT SELECT,INSERT,UPDATE,DELETE ON table TO sti;
>
Use a more descriptive name for the group or simply sti_group.
I am guessing that you have an issue because you now have one role
called sti - that has carried the group members from the old version -
this is the admin userid used to login but because it is used as a group
it passes it's privileges to all members of sti.
--
Shane Ambler
pgSQL (at) Sheeky (dot) Biz
Get Sheeky @ http://Sheeky.Biz
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
From | Date | Subject | |
---|---|---|---|
Next Message | Ken Johanson | 2008-02-08 21:04:37 | What are the (various) best practices/opinions for table/column/constraint naming? |
Previous Message | Shane Ambler | 2008-02-08 13:53:50 | Re: Postgres roles |