Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uMRoN-00BwOV-Tt for pgsql-admin@arkaria.postgresql.org; Tue, 03 Jun 2025 13:36:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uMRoL-000R81-Ml for pgsql-admin@arkaria.postgresql.org; Tue, 03 Jun 2025 13:36:14 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uMRoL-000R7s-A0 for pgsql-admin@lists.postgresql.org; Tue, 03 Jun 2025 13:36:13 +0000 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uMRoG-0000bW-2K for pgsql-admin@lists.postgresql.org; Tue, 03 Jun 2025 13:36:12 +0000 Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-3a5058d46ceso1461534f8f.0 for ; Tue, 03 Jun 2025 06:36:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1748957767; x=1749562567; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=HvZqXw0QFtqp+xs3rOrDypLx7qdNhV2UJn9pGH/96IQ=; b=RqJUbk/85dLac1odcLCHL+oHFN9SktqRSTIszdPQ60uzM2KTfppL+K1kMiByuKbZpc oSFPrOm51Q6H2CUvY3IlG4ideiqm2xTX//nufc5UF0hx0dyTlfZ7w8ZxNyXYDwvjnNS7 lkCahnmM1IbroSNgIpMtSp9ctr5B7kmcq1QgYQ9NJqXkV4+PEQHXKNB5+SmXtZ/Zn9St HULkDOC27GLUruZEO2mNdJQzb5tlHdJzQ7Dw+i9RR1d/K1FBa0g+e08kMmpHylpEe1ir n39aeD4xNP0TysVQMzGxQd/QMaGDYfUNOJtdc+SZbxMiM0xF+XAx9QbAnnm9Hnshy+Ce EdPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748957767; x=1749562567; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HvZqXw0QFtqp+xs3rOrDypLx7qdNhV2UJn9pGH/96IQ=; b=YKvFUfjF8wOQDtiHVNsIfq8v+zxaGtElQOBzzi194ujN7NNwPh0WVwBaLTb3P4CjT3 2Vs6Z4k7r/q8Cn7HQ3vmJkVo/QCb2w5RnEjHyCCnw59dWdzR1l0LFhFDOT/2xVAL3ZI6 xkm7FX6GqPQQblyVZvgngWCPNGtGYL9jXFBnohHz6JKwhxTvYul4vpxZw1F53jrY1qVG KmmNtrYKaS8lgevME9vhR2rzsjzxLyY2PIXsORzP8z8rkbE4PwLUvGfs+KNSd3v8swSC PnJtriIAQKsr40Wi7lz2y+YpsYnYNcPbsCn807Zd4wVSVqkTKwXsonNrPZXBEEuPdEcM tCdw== X-Forwarded-Encrypted: i=1; AJvYcCWlQ1F56fDbsUygFsAzF3AXzceg41YObnSWGRyDZEcNJ6XCjtne7vIUP6exUpPhGr8dqPliGxfsMFnmUQ==@lists.postgresql.org X-Gm-Message-State: AOJu0YxqfrFMhBMd86fEQCqSptIqALen0gdDjdoMPf3gOUWZYklLBAIF aAjxVCZbFTtHFjsAdBzoW7Nh9JWA6rt4y0xns9yB2smKsSllfaJN6iAaHvUfDgSxK74= X-Gm-Gg: ASbGnctyNnBenOxbVt4dY8Pw/4zOTi/MdW868Ym+Y9LjqnSc/s15AlR2NtDD/mLSRTL jj+QiSck6Z/uKkYb+krmw+sQD3+H41nRtTNX1S0+DWb0rN+g4xi12qy9P7Kcs2rDOw1cTJxenvO dNC2+RbuB+xxV+dd5dyrltNalObyphnc1Apmgvwg3E7BQX9C7m/LhFOBbBmJ4rArYU0IuORNC+B Q0p4iOgkmKs931lVDh5HWr12zsMuLWslU8dpMTBzGWLuSs0+TnL7HX54Ejytwo5FYEx8Q4HTDKA AhGtBAE41w5X/K2kdOY23Xp73kbb3yRHVcPP09nanx8/G0TlnQPSMU+3TNedTzV4oIOY8XF2MAe UTj59gQzi5CE= X-Google-Smtp-Source: AGHT+IFs40aGFaT98G3nty7V7Me2GemNxNgNdXFLmkCS2unhBC/9LqudJ7A54opjaNuBBUabRmrcEA== X-Received: by 2002:a05:6000:1887:b0:3a4:f038:af90 with SMTP id ffacd0b85a97d-3a4f89ead0cmr12345839f8f.58.1748957766251; Tue, 03 Jun 2025 06:36:06 -0700 (PDT) Received: from laurenz.albe-K4N0CV00F97414D ([12.0.89.245]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-3dd935a6991sm25927525ab.60.2025.06.03.06.36.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Jun 2025 06:36:04 -0700 (PDT) Message-ID: <08b36ebfe3f64ce29f51bfcb661fc7917d942709.camel@cybertec.at> Subject: Re: Question about permissions in the Schema From: Laurenz Albe To: Sabyasachi Mukherjee , Pgsql-admin Date: Tue, 03 Jun 2025 15:36:04 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, 2025-06-03 at 11:44 +0000, Sabyasachi Mukherjee wrote: > I have a database with 5 different schemas. Each schema has the same set = of tables, but the data is different. > I have created one user to access the data in the tables from one schema = only. > The user can access the data from the target schema. For all other schema= s it get a permission error except one. > I have specifically run the Revoke command for the schema but still the u= ser can access the > data from that schema. I have run the command in PGAdmin. Also DBBeaver d= oes not any permission for the objects > in the leaking schema for the user. > What could be wrong and how should I fix it. > I am running PG 17 on Linux.=C2=A0 To diagnose the problem, look at the permissions on that schema: SELECT a.grantor::regrole AS grantor, a.grantee::regrole AS grantee, a.privilege_type FROM pg_namespace AS s CROSS JOIN LATERAL aclexplode(s.nspacl) AS a WHERE s.nspname =3D 'schema_name'; Compare that with the user that is granted access and all its groups: WITH RECURSIVE myroles AS ( SELECT current_user::regrole AS r UNION ALL SELECT m.roleid::regrole FROM pg_auth_members AS m JOIN myroles ON m.member =3D myroles.r ) SELECT * FROM myroles; Yours, Laurenz Albe