Re: Default permissisons from schemas

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> >> Whoa. You are going to allow people to create objects owned by someone
> >> else? I don't think so ... most Unix systems have forbidden object
> >> give-away for years, for very good reasons.
>
> > Hmm. While I agree with the sentiment, Unix does provide for setgid
> > such that objects inherit a specific group on creation. Using roles we
> > don't get that distinction so I don't think comparing it to Unix is a
> > slam-dunk. There do need to be limitations here though, certainly.
>
> Before discussing "limitations" you should first justify why we need any
> such concept at all. It was no part of the original TODO item and I
> cannot see any good use for it.

There are permissions which are not grantable but exist as implicitly
granted to the owner of object. These include drop, truncate, alter.
Practically, I find myself having to change the owner of objects which I
create almost as often as I'm defining the ACL for those objects. In
many of our schemas all the objects should be owned by the same 'admin'
role so that those who are in that role can perform the actions which
are only available to object owners, much the same as those objects
having a certain set of minimum ACLs.

This is, of course, only for object creation. It is possible to use
'set role' to set initial ownership on an object but for as much as it's
possible I find that it doesn't happen very often. I had thought it was
going to be possible to set up roles/permissions such that a newly
created object would be owned by the role through which the CREATE
permission is given but that doesn't seem to be the case (or perhaps I'm
doing something wrong with it).

Thanks,

Stephen