Skip site navigation (1) Skip section navigation (2)

Re: privilege inheritance to a login role through a group role

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Kasia Tuszynska <ktuszynska(at)esri(dot)com>
Cc: "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: privilege inheritance to a login role through a group role
Date: 2009-03-31 23:39:18
Message-ID: 20824.1238542758@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-admin
Kasia Tuszynska <ktuszynska(at)esri(dot)com> writes:
> I am having issues with privilege inheritance to a login role through a group role.

> These are the steps I am performing:

>  1.  data: stcities belongs to user gdb, it resides in the gdb schema
>  2.  map user is a login role:
> CREATE ROLE map LOGIN
>   ENCRYPTED PASSWORD 'md59ec9dda576db2a36c42c1c3af155d07c'
>   NOSUPERUSER NOINHERIT CREATEDB NOCREATEROLE;

>  1.  editor role is created, and privileges to the data are granted to it:
> CREATE ROLE editor NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
> GRANT select on gdb.stcities TO editor;

>  1.  user map is made a member of the editor role:
> GRANT editor TO map;

> Now, theoretically, I am expecting the map role to be able to inherit the select privileges via the editor group role to the gdb.stcities data.

You've got the INHERIT bit backwards: you'd have to apply INHERIT to
map, not editor, to have editor's privileges automatically work for map.

If there's some identifiable bit of the documentation that confused you
about this, please point it out so we can improve it.

			regards, tom lane

In response to

Responses

pgsql-admin by date

Next:From: Alvaro HerreraDate: 2009-04-01 11:56:45
Subject: Re: privilege inheritance to a login role through a grouprole
Previous:From: Tom LaneDate: 2009-03-31 23:34:47
Subject: Re: backup question

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group