GRANT USAGE ON SCHEMA

public inbox for [email protected]  
help / color / mirror / Atom feed

GRANT USAGE ON SCHEMA
4+ messages / 3 participants
[nested] [flat]

* GRANT USAGE ON SCHEMA
@ 2025-06-14 22:08 Edwin UY <[email protected]>
  2025-06-14 22:29 ` Re: GRANT USAGE ON SCHEMA Tom Lane <[email protected]>
  2025-06-14 23:19 ` Re: GRANT USAGE ON SCHEMA David G. Johnston <[email protected]>
  0 siblings, 2 replies; 4+ messages in thread

From: Edwin UY @ 2025-06-14 22:08 UTC (permalink / raw)
  To: Pgsql-admin <[email protected]>

Hi,

Just playing around here trying and 'confused' what the GRANT USAGE ON
SCHEMA is supposed to be for?
I thought it was supposed to all 'full' access of one schema to the other

I have created 2 schema a, b and I did

grant usage on schema a to b
grant usage on schema b to a

I tried to select tables from one to the other and it is giving permission
denied until I have to do the grant below.

grant all on all tables in schema a to b ;
grant all on all tables in schema b to a ;

Is this expected behavior? Or does the GRANT USAGE only allows
switching between schema?

Regards,
Edd

^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: GRANT USAGE ON SCHEMA
  2025-06-14 22:08 GRANT USAGE ON SCHEMA Edwin UY <[email protected]>
@ 2025-06-14 22:29 ` Tom Lane <[email protected]>
  1 sibling, 0 replies; 4+ messages in thread

From: Tom Lane @ 2025-06-14 22:29 UTC (permalink / raw)
  To: Edwin UY <[email protected]>; +Cc: Pgsql-admin <[email protected]>

Edwin UY <[email protected]> writes:
> Just playing around here trying and 'confused' what the GRANT USAGE ON
> SCHEMA is supposed to be for?
> I thought it was supposed to all 'full' access of one schema to the other

No.  Schema USAGE is more or less like directory read permissions in
a file system: it lets you get to the contained objects.  You also
need appropriate permissions on the contained objects in order to
do anything with them.

			regards, tom lane





^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: GRANT USAGE ON SCHEMA
  2025-06-14 22:08 GRANT USAGE ON SCHEMA Edwin UY <[email protected]>
@ 2025-06-14 23:19 ` David G. Johnston <[email protected]>
  2025-06-15 10:06   ` Re: GRANT USAGE ON SCHEMA Edwin UY <[email protected]>
  1 sibling, 1 reply; 4+ messages in thread

From: David G. Johnston @ 2025-06-14 23:19 UTC (permalink / raw)
  To: Edwin UY <[email protected]>; +Cc: Pgsql-admin <[email protected]>

On Sat, Jun 14, 2025 at 3:09 PM Edwin UY <[email protected]> wrote:

> I thought it was supposed to all 'full' access of one schema to the other
>

Where did you get the idea that objects (aside from roles) ever get
privileges on other objects?  Or did you also create roles "a" and "b" and
are just using the wrong terminology here?

There is also no such thing as permissions on one type of object somehow
affecting your privileges on other object types.  Your privileges on
schemas will not influence (directly) your permissions on tables.  Neither
to grant additional privileges or to block them - say if you don't have
usage on schema but do have select on a contained table.  Corner-cases that
do behave this way notwithstanding - it isn't reliable.

David J.

^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: GRANT USAGE ON SCHEMA
  2025-06-14 22:08 GRANT USAGE ON SCHEMA Edwin UY <[email protected]>
  2025-06-14 23:19 ` Re: GRANT USAGE ON SCHEMA David G. Johnston <[email protected]>
@ 2025-06-15 10:06   ` Edwin UY <[email protected]>
  0 siblings, 0 replies; 4+ messages in thread

From: Edwin UY @ 2025-06-15 10:06 UTC (permalink / raw)
  To: David G. Johnston <[email protected]>; +Cc: Pgsql-admin <[email protected]>

Hi David J,

Yeah, sorry, I should have used different names, but yeah, I have also
created the a and b roles named the same as the schema.
Should have used schema_a, schema_b, role_a, role_b.



On Sun, Jun 15, 2025 at 11:19 AM David G. Johnston <
[email protected]> wrote:

> On Sat, Jun 14, 2025 at 3:09 PM Edwin UY <[email protected]> wrote:
>
>> I thought it was supposed to all 'full' access of one schema to the other
>>
>
> Where did you get the idea that objects (aside from roles) ever get
> privileges on other objects?  Or did you also create roles "a" and "b" and
> are just using the wrong terminology here?
>
> There is also no such thing as permissions on one type of object somehow
> affecting your privileges on other object types.  Your privileges on
> schemas will not influence (directly) your permissions on tables.  Neither
> to grant additional privileges or to block them - say if you don't have
> usage on schema but do have select on a contained table.  Corner-cases that
> do behave this way notwithstanding - it isn't reliable.
>
> David J.
>
>


^ permalink  raw  reply  [nested|flat] 4+ messages in thread

end of thread, other threads:[~2025-06-15 10:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-06-14 22:08 GRANT USAGE ON SCHEMA Edwin UY <[email protected]>
2025-06-14 22:29 ` Tom Lane <[email protected]>
2025-06-14 23:19 ` David G. Johnston <[email protected]>
2025-06-15 10:06   ` Edwin UY <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox