| From: | Karsten Hilbert <Karsten(dot)Hilbert(at)gmx(dot)net> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Q: GRANT ... WITH ADMIN on PG 17 |
| Date: | 2025-08-21 15:36:07 |
| Message-ID: | aKc855Ez-iHiJ6ww@hermes.hilbert.loc |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Dear all,
PG 17 documentation says that using "WITH ADMIN" allows the
role being added to another group role to grant/revoke
membership in said group to other roles.
Does this imply that an ADMIN role _must_ itself be a member
of the group role it is to maintain membership of ?
The question arises from a scenario where a DBA role would
not need to be a member of a clinical group role but would
be intended to maintain membership of clinical user roles
within that group role.
From a security point of view the question might be moot
because an ADMIN role could always grant itself membership
in the group role -- but it feels wrong for reasons of
theoretical "correctness".
IOW:
- gm-dbo: user role for a DBA admin (not! superuser)
- gm-bones: user role for a LLAP doctor
- gm-doctors: group role for doctors, upon which are resting
access permissions for clinical data
- gm-bones is to be a member of gm-doctors in order to access clinical data
- gm-dbo is intended to manage membership of gm-bones in gm-doctors
- however, gm-dbo need not itself be a member of gm-doctors
Is that possible within the current (as of PG 17) framework ?
Thanks,
Karsten
--
GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-08-21 15:46:00 | Re: Q: GRANT ... WITH ADMIN on PG 17 |
| Previous Message | hubert depesz lubaczewski | 2025-08-21 15:13:42 | Re: Streaming replica hangs periodically for ~ 1 second - how to diagnose/debug |