Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTH0g-00Fw6e-3A for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 10:01:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vTH0e-00AXPA-1B for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 10:01:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTH0d-00AXP1-3A for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 10:01:24 +0000 Received: from mail-ej1-x62e.google.com ([2a00:1450:4864:20::62e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vTH0c-0046m9-0v for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 10:01:23 +0000 Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-b7a6f32001bso267617666b.2 for ; Wed, 10 Dec 2025 02:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1765360880; x=1765965680; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=chFx1YSYgsf88BX48ztwjTkRR6au6mHjyMDqW3qf4O8=; b=KA3V2allmaALgXSSNR8IJ6u8Tw9VIq1b5aMuxkixJCqTcYFB+ct0FQpfunnWHxdbsJ /d4A8+T06rxkz9zrI/2NvAsaoYBNpQR/d1KelkeY1W+lJDf0AZRtMEOUfnx5nzcN+ksP Lh5fIf1s59Q79jcSt5anF8jeoRGyQ4S4KmMMSUeZKwjA/oXd7QDnoAf7UZgZTq2qTGJZ QfvM3oYrGhaElDHibe/aWSCwNhZ5vQXny7MuYiMnlNaWYufd6TOVewcp5U0uOcPFkyZR dmdO4wx5ZDseWEitTK3KmCXZ5dgAHZFapCYfq285kmKZZPfzib5zgnZbuqnzt2z+Iumq ghqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765360880; x=1765965680; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=chFx1YSYgsf88BX48ztwjTkRR6au6mHjyMDqW3qf4O8=; b=HZrf/wRZ9iNueGP8rVKCuEn1hrsiFrZ6RjA/h73E4J60pKLF9eLFPGmWgyBE8xSBu4 sg/zGkK/39nAw027VOJauL8cDbyKLzXYoQ3Zm5UL+9Kd6Tfgqq+XQ3Y9K5AkGD6IVt9r x6sk5CJ+nAzU7am2o0EaTQniBUUTWJbNyDvCDK+DDGdiXIZUphcan99mnyRyOILWk/5t TWSczKyNZbjVyadook7/a5Ab2i79w7gfaO0YMHXL7WV+Cr+5nUUGGsC0m1strIf21HXx KRRH23GvaOQ/jSSVmWs/2FEcNV2Oo6xCVgfBTkn6i52sqCTPTR9Y9bUc7uJKKvYTZSnT alcg== X-Forwarded-Encrypted: i=1; AJvYcCV0CntC8PewewohzYw5clY4oLVHSavsl+NpA51b5GyuCiBlaw0BWPlNBcvux1/B81eLDsMu1Z/SvEWjtA==@lists.postgresql.org X-Gm-Message-State: AOJu0Yx9unovghuENmplPEptcPuLJbV5TE/hT5pqaMyKtwe5VzswcW+G AM/S1Bu274x4VsjS+YOQgr6w/tnEb/lg7f3IpFWKG+BEHtep36Czl1KnG812bVUZfDY= X-Gm-Gg: ASbGncuNa/Aogvhuwbo/GHraMz7QHgEkjsxV4lr10MWQJMjvKqak7W6KgpU0VxsSTGy b7PjY8hF+N8OsoUO/orvzk8dzEkVdm2eMh8tDuL27PIIsyPBd0P8bQ9aaODMacwklLNyZ9tP0eW MpUxyju3dftZrPHH700jHE/HRSkYEZABHLyNbNR238YZyxitZJgGZbjQa+Sdl/3elWaXyU3uc01 rs0atwvGx8f2TAzMdOaiQi72k7H4XntXjeu/6COZs3Y04AO3VouYDqIWijU5ljLbVq49MimZleU Onq3wtL3K0v81n0sJ45XpiZLjZCvb7bhlkFXivO5AcmkrTCsm4gBunGVGs4ZtwJRD66WdfpELtP YJeFpd9iSstpLPbYa7jlMyHj2kC2bwKmiwaWEgmdWETte6RwrkXA69Vn3G3Gov56+jtXG2EWFTg vgENgs2dbNBKvL1t5+RC+kw9TySmtI1Liy4ro54m2bQCSVEi1xIc0= X-Google-Smtp-Source: AGHT+IFiyqTnXeHca5TIMXvz4tLF39LXcswAtlT5g6xbpHUoMiMw92urHxDXdxMWbKwbfixLw4wwGw== X-Received: by 2002:a17:907:728a:b0:b73:6d2f:4bb8 with SMTP id a640c23a62f3a-b7ce82bd626mr152130166b.2.1765360878858; Wed, 10 Dec 2025 02:01:18 -0800 (PST) Received: from laurenz.albe-K4N0CV00F97414D ([88.116.133.170]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-647b412e2d8sm16789156a12.34.2025.12.10.02.01.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Dec 2025 02:01:18 -0800 (PST) Message-ID: <72acf8ae4e56886081b9f632569f290d3246c33b.camel@cybertec.at> Subject: Re: database specific pg_read_all_data / pg_write_all_data From: Laurenz Albe To: richard coleman , Pgsql-admin Date: Wed, 10 Dec 2025 11:01:18 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-2.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, 2025-12-09 at 16:13 -0500, richard coleman wrote: > In PostgreSQL 16+ the built in roles such as=C2=A0pg_read_all_data and=C2= =A0pg_write_all_data are a welcome addition to permission setting in Postgr= eSQL. >=20 > Unfortunately they appear to be server-wide roles. >=20 > Woud it be possible to have roles like these that are database specific? >=20 > If there are 100 databases on a server, it would be extremely helpful to = be able to do something like: >=20 > grant pg_read_all_data on database foo to user_role; >=20 > Otherwise these roles are unusable from a practical stand point on server= s with multiple unrelated databases. I think they were mostly added for compatibility with Microsoft SQL Server, if I remember correctly. I suggest creating roles named "readonly_dbname" for each database with the appropriate privileges and assigning those. A different approach would be to use different database clusters for differ= ent databases. Yours, Laurenz Albe