| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | richard coleman <rcoleman(dot)ascentgl(at)gmail(dot)com>, Pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: database specific pg_read_all_data / pg_write_all_data |
| Date: | 2025-12-10 10:01:18 |
| Message-ID: | 72acf8ae4e56886081b9f632569f290d3246c33b.camel@cybertec.at |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Tue, 2025-12-09 at 16:13 -0500, richard coleman wrote:
> In PostgreSQL 16+ the built in roles such as pg_read_all_data and pg_write_all_data are a welcome addition to permission setting in PostgreSQL.
>
> Unfortunately they appear to be server-wide roles.
>
> Woud it be possible to have roles like these that are database specific?
>
> If there are 100 databases on a server, it would be extremely helpful to be able to do something like:
>
> grant pg_read_all_data on database foo to user_role;
>
> Otherwise these roles are unusable from a practical stand point on servers with multiple unrelated databases.
I think they were mostly added for compatibility with Microsoft SQL Server,
if I remember correctly.
I suggest creating roles named "readonly_dbname" for each database with
the appropriate privileges and assigning those.
A different approach would be to use different database clusters for different
databases.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | richard coleman | 2025-12-10 13:06:17 | Re: database specific pg_read_all_data / pg_write_all_data |
| Previous Message | Laurenz Albe | 2025-12-10 09:52:41 | Re: Data quality assessment |