| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Hans-Jürgen Schönig <hs(at)cybertec(dot)at> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Groups and roles |
| Date: | 2003-06-10 17:45:50 |
| Message-ID: | Pine.LNX.4.44.0306101910170.2367-100000@peter.localdomain |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hans-Jürgen Schönig writes:
> Imagine having groups having rights on dozens of tables. If these groups
> were assigned to a role it would be an easy task to block numerous
> groups from executing SQL at once. Currently a user has all rights of
> all groups he belongs to so it is damn hard to say that 1000 users
> should not be allowed to do anything for a period of time (because of
> maintenance or so). If all those users (but the superuser) had a certain
> role, the role could be modified instead of those 1000 users/groups (eg.
> REVOKE login, execute_sql FROM some_role).
I think you can do that with groups: Create a number of groups, say
users1, users2, etc., and then, at the predermined hour, you do:
BEGIN;
REVOKE privilege FROM users1;
GRANT privilege TO users2;
COMMIT;
This might be helped if groups could contain other groups, so that
"privilege" could be a group/role name, to ease administration, but that
does not create any distinction between the concepts role and group.
--
Peter Eisentraut peter_e(at)gmx(dot)net
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jan Wieck | 2003-06-10 17:46:36 | Re: Proposal to Re-Order Postgresql.Conf, part II |
| Previous Message | Peter Eisentraut | 2003-06-10 17:45:09 | Re: Groups and roles |