Re: Latest requests from IRC

Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> wrote:
>> ... people want to be able to grant on all objects in a
>> database, etc:

> The right way to do this is to make sure there is a group that has access
> to "everything" and just add people to the group.

Doesn't seem like that magically solves the problem, though. You still
have lots of pain involved in granting privs on everything to that
group.

I don't have any fundamental problem with something like "GRANT SELECT
ON TABLE * TO foo", seeing as how we already allow grants on multiple
tables. But we'd have to be very careful about how the scope of the *
wildcard is defined. For instance, if a superuser does it, does it
really grant privs on *all* tables? I'd hope that the system catalogs,
at least, are not implicitly included in the wildcard scope. For lesser
mortals there is also the question of whether to error out or just
ignore tables that you don't have privileges for.

Would it make sense to restrict the wildcard to a particular schema, viz
GRANT SELECT ON TABLE myschema.* TO foo
This would neatly solve the question of how to exclude the system
catalogs, and in most scenarios where people are wishing for this,
I bet they've put all the objects in one schema anyway.

regards, tom lane