Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1vT71F-00DDwv-2h
	for pgsql-admin@arkaria.postgresql.org;
	Tue, 09 Dec 2025 23:21:21 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1vT71E-008Ox3-1L
	for pgsql-admin@arkaria.postgresql.org;
	Tue, 09 Dec 2025 23:21:20 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <rcoleman.ascentgl@gmail.com>)
	id 1vT71E-008Owv-0A
	for pgsql-admin@lists.postgresql.org;
	Tue, 09 Dec 2025 23:21:20 +0000
Received: from mail-oa1-x31.google.com ([2001:4860:4864:20::31])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <rcoleman.ascentgl@gmail.com>)
	id 1vT71C-0048uO-0A
	for pgsql-admin@lists.postgresql.org;
	Tue, 09 Dec 2025 23:21:20 +0000
Received: by mail-oa1-x31.google.com with SMTP id
 586e51a60fabf-3ec6c10a295so2309953fac.0
        for <pgsql-admin@lists.postgresql.org>;
 Tue, 09 Dec 2025 15:21:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765322476; x=1765927276;
 darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=6KHVaE2b0SBu2KkhvK3iKJrlaw/nyp/ZLgUQ2dww9hA=;
        b=hSZnukgcljDxS+ZnDRQ7b1rIPw/5X4jKlCHqZ12C/JfB83rnYs/2sAuI8wY8Kt8LZN
         TUpmLjmyYzuWtYnjJ8mxflD6tHU4S1syXgGfYC+qZLVTS+Wgw0/JqSRGOverFs5aIrEj
         js2EG4WrmEgEOvYZLinrP2OaG7PST/smGKn7zbKcsKV+cNAbij8mXfAvY+4+jDoCNiGI
         GR9HYFGbZegtjZ1SCDTtgvAkWD2jF4I2t7Ooj93KurE4sjyHWgx1A66fyo2RN28FeMXn
         z6832L1AJO4e3lq5ZnIVWi775LfazSCMu5JA6MlR5nv95beLnuCeoWO2RmBSd3lgiqvO
         1ROQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765322476; x=1765927276;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6KHVaE2b0SBu2KkhvK3iKJrlaw/nyp/ZLgUQ2dww9hA=;
        b=a9UT5UW6JK95Nn2GNnTCJoX8VCX0Yl+i+NOgiJkBc+hxzyiSIByXJCNfYFDTer6lMr
         tHYaZNUoefjeThsY61VU2aMUFyn91zwHvNssiEy503QBqJ8K+KDkbk1+H6M4CgIJMXKa
         DrKzkhcwVnUh6HMukUn0JwHpNRfNhM4Tc34qlS7DNeHuBhufw2jMsm3PFxBAFDpmW39j
         zvqhQ/gJMzQPGP4UCDzI/Kke7xEVjhk/x1kAqXacS9l+qJsvtW06ATGn/tbpTVvNSt0p
         hVk6d2BlM40MNCsxpEkpTaYwzfacUD/CS84lEezJ+s/JdzYAUTeFt74KsJ9aWiDjn4ha
         JeaA==
X-Gm-Message-State: AOJu0YyD7Rh2vrCdieL5hYBOodY6i58RMAQ3xoF4dFrJLvFhU0mjOTw1
	XD01puvM6JT7ekjm51s9SXgAV5f0+O02nF2DxPZm/w5GAuE41yrSQdeJh/FJXbIT9HAvyas8ZT5
	Bn7rZ3d/9NlqE4cWFKP6myUMN3sJFyvk=
X-Gm-Gg: AY/fxX4NgmTBD8JCPKHuYDZItqa1JtEly9qSwHMI6QIXdLxaRVJnH6KVD4YNUYUACyb
	CHbdBNxrDFcNZoHtHtt8alQCEr3eiuekgYhYJ8PBuQkPHjwyGEfsuSBEH6Qyk6V/RAZB2S27cLQ
	zDgL7hjgJz5zrbfyotztGFUmjnkgp14pBK7/Tzhk6+uFjKgX1UAdhG1eK28b5NZs7cp7AS0j5Ih
	keo95lfHOktktyUGNRbxAdZoTHvMVybwX53WypptD5W9EOU7+i2Mom6+DKoUgKUIVlT5VTwtq7+
	rfBTXx5qZ9JsI/WaRrNwqzZgyRBdEnpR2UUc139Unxww7J16QAR+rFpW
X-Google-Smtp-Source: 
 AGHT+IF8sqYBwyTbt+kfolJNH4a1mTsUixxvu5TkN82xGcpsNbylK+/COEKR+VrKu/t95z/z53Q/pCBJuL2/J8mr74E=
X-Received: by 2002:a05:6870:e2cd:b0:3e7:f4a9:588b with SMTP id
 586e51a60fabf-3f5bd89bc71mr379625fac.15.1765322476175; Tue, 09 Dec 2025
 15:21:16 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAGA3vBug6Sq_XYLxzmY470WFS6Z3OF28goYzX=QHrCc4hgQSDw@mail.gmail.com>
 <CANzqJaA8JTM1V_+9ACXGWjbCYYu_hio5EA-=2ne_7jmmhw31FQ@mail.gmail.com>
In-Reply-To: 
 <CANzqJaA8JTM1V_+9ACXGWjbCYYu_hio5EA-=2ne_7jmmhw31FQ@mail.gmail.com>
From: richard coleman <rcoleman.ascentgl@gmail.com>
Date: Tue, 9 Dec 2025 18:21:05 -0500
X-Gm-Features: AQt7F2pcdKLIz8sHWkCDIcxXwy-tbNgcDku6HOmIgyhbO4Tf2aoX0D8L_IlbgN8
Message-ID: 
 <CAGA3vBs=_E7eOXRngW9fkKSvE+r9_s+z=wOZNBvjfZ_yRROc5Q@mail.gmail.com>
Subject: Re: database specific pg_read_all_data / pg_write_all_data
To: Ron Johnson <ronljohnsonjr@gmail.com>
Cc: Pgsql-admin <pgsql-admin@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000001b467606458d2b84"
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/CAGA3vBs%3D_E7eOXRngW9fkKSvE%2Br9_s%2Bz%3DwOZNBvjfZ_yRROc5Q%40mail.gmail.com>
Precedence: bulk

--0000000000001b467606458d2b84
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Ron,

That wouldn't come even close to what pg_read_all_data grants.
A role assigned to pg_read_all_data automatically has the ability to read
everything, in every schema that exists now or in the future.

The old way, your suggestion, means that you have to keep rerunning that
command everytime someone creates a schema, creates a table, creates a
view, recreates a table, recreates a view, etc. for all eternity.  Not only
that, you have to tailor the command to each new schema, etc.

This makes shared privs much more streamlined and removes the chance that a
user will forget to assign privs to objects that they create.

I hope that helps make it clearer.
rik.




On Tue, Dec 9, 2025 at 5:46=E2=80=AFPM Ron Johnson <ronljohnsonjr@gmail.com=
> wrote:

> On Tue, Dec 9, 2025 at 4:13=E2=80=AFPM richard coleman <
> rcoleman.ascentgl@gmail.com> wrote:
>
>> In PostgreSQL 16+ the built in roles such as pg_read_all_data
>> and pg_write_all_data are a welcome addition to permission setting in
>> PostgreSQL.
>>
>> Unfortunately they appear to be server-wide roles.
>>
>> Woud it be possible to have roles like these that are database specific?
>>
>> If there are 100 databases on a server, it would be extremely helpful to
>> be able to do something like:
>>
>> *grant *pg_read_all_data* on database *foo* to *user_role*;*
>>
>> Otherwise these roles are unusable from a practical stand point on
>> servers with multiple unrelated databases.
>>
>
> How about
> ALTER DEFAULT PRIVILEGES IN SCHEMA foo1, foo2, foo3, ... GRANT SELECT ON
> ALL TABLE TO bar;
>
> --
> Death to <Redacted>, and butter sauce.
> Don't boil me, I'm still alive.
> <Redacted> lobster!
>

--0000000000001b467606458d2b84
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Ron,<div><br></div><div>That wouldn&#39;t come even close =
to what pg_read_all_data grants.</div><div>A role assigned to pg_read_all_d=
ata automatically has the ability to read everything, in every schema that =
exists now or in the future.</div><div><br></div><div>The old way, your sug=
gestion, means that you have to keep rerunning that command everytime someo=
ne creates a schema, creates a table, creates a view, recreates a table, re=
creates a view, etc. for all eternity.=C2=A0 Not only that, you have to tai=
lor the command to each new schema, etc.</div><div><br></div><div>This make=
s shared privs much more streamlined and removes the chance that a user wil=
l forget to assign privs to objects that they create.</div><div><br></div><=
div>I hope that helps make it clearer.</div><div>rik.</div><div><br></div><=
div><br></div><div><br></div></div><br><div class=3D"gmail_quote gmail_quot=
e_container"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Dec 9, 2025 at 5=
:46=E2=80=AFPM Ron Johnson &lt;<a href=3D"mailto:ronljohnsonjr@gmail.com">r=
onljohnsonjr@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Tue, Dec 9, 2025=
 at 4:13=E2=80=AFPM richard coleman &lt;<a href=3D"mailto:rcoleman.ascentgl=
@gmail.com" target=3D"_blank">rcoleman.ascentgl@gmail.com</a>&gt; wrote:</d=
iv><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"><div dir=3D"ltr">In PostgreSQL 16+ the built in roles such as=C2=A0pg_=
read_all_data and=C2=A0pg_write_all_data are a welcome addition to permissi=
on setting in PostgreSQL.<div><br></div><div>Unfortunately they appear to b=
e server-wide roles.</div><div><br></div><div>Woud it be possible to have r=
oles like these that are database specific?</div><div><br></div><div>If the=
re are 100 databases on a server, it would be extremely helpful to be able =
to do something like:</div><div><br></div><div><b>grant </b>pg_read_all_dat=
a<b> on database </b>foo<b> to </b>user_role<b>;</b></div><div><br></div><d=
iv>Otherwise these roles are unusable from a practical stand point on serve=
rs with multiple unrelated databases.</div></div></blockquote><div><br></di=
v><div></div></div><div>How about=C2=A0</div><div>ALTER=C2=A0DEFAULT PRIVIL=
EGES IN SCHEMA foo1, foo2, foo3, ... GRANT SELECT ON ALL TABLE TO bar;</div=
><div><br></div><span class=3D"gmail_signature_prefix">-- </span><br><div d=
ir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr">Death to &lt;Redacted=
&gt;, and butter sauce.<div>Don&#39;t boil me, I&#39;m still alive.<br><div=
><div>&lt;Redacted&gt; lobster!</div></div></div></div></div></div>
</blockquote></div>

--0000000000001b467606458d2b84--