Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vT8EI-00Dluu-2y for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 00:38:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vT8EH-008pB5-19 for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 00:38:53 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vT8EH-008pAx-01 for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 00:38:53 +0000 Received: from mail-oa1-x2f.google.com ([2001:4860:4864:20::2f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vT8EF-0042jS-2G for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 00:38:52 +0000 Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-3f5ba2fc0d1so203515fac.3 for ; Tue, 09 Dec 2025 16:38:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765327130; x=1765931930; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dcc1v+dW3HXdgbJX+eqq4llF8Tl6w6wImbL9xidQE+s=; b=VhNqFPADvKs39LsYbjHTHZX1bEflkII6JWyvEosRJTxGlIA97I+soMULJVKBhJBrX6 UHWYvRxlbD9v5He7QFvk8+2dl7NFpax7XGkglm51fpZfmVhkWVM9JnNnteKmPCAT9/fn Z+y0sFSlbjW65hdatr/7k2sR1463Kv/3zYd8+Mr7hGkNs/xLUFQdbTUCMZuXZmboRNpx OYD4wBiKG6joK3JpaXGW2a5onWPFkkhHzEbSzQkB/C8fKg0QVxDzb7CZd1kkf4JiWVU4 3A/Q4KVUjW44+zCq4kO4m0h9nj2I+z/lyCfVESoDss5rE/jjPJkg0l1wAx+J+rC4FOUv BbIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765327130; x=1765931930; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dcc1v+dW3HXdgbJX+eqq4llF8Tl6w6wImbL9xidQE+s=; b=jjFwWuvjw1QjtYIEO7H76Hslz4xDefmxPQq3mNjViPPLmbGf2ys4nDSyD3AFOj/r49 sNgXUwTsRfDJxbJ8aziiS/Av7X5Ot2gUol1hhNhBUzN/ABQuBuB0k8XmmiJwsyu0Kz7b 8b4UbkcmruTvMVJgr6i92sAg7QS8L2g8LjZnQUhg0JEPjkXBMThC8gewlP9uXhHm/NS3 pGaNEGg4EtIpEF79aJ3SNanafFisxQPTxEBpI1iVkpP+xpUt8WaxHZ7o6iRoaaf3C1Ct VQvRIYp8M05Ub87G9QtuTCW1Ch4VOpfx985yoKPjzdbabS/gUjA43k8r7Bj4EcQtweOR ZuPA== X-Gm-Message-State: AOJu0YwrfC8AdppMxoijlm+fC3xKxcO/CE1YcNN9+6gWqzUyn8aE1dQ+ ykzkRY0K3X4rhF4BpW98RgZmrjjGyQND6gLQDiOOSapzbR+lfATgUVUQLpbEPpgVqYAj5H9dQQj /nedNiffwxfFWAKYzf3e99BtgifSzMSxSCEFW X-Gm-Gg: ASbGnctHZdvcn/fwx6SpCarzt2xoiasnH6r36kwRiYvNPaG+24v2tSqi67hz8dn6nn0 INFOKjE74086TJTw2WFmDQGpBtJLPqf35Gb2SKLcZB1cMvSwEguNIJKWJTz3196LGcfjDH289QP FYyPgpeN4yedL96+3Haa+XmYBThSDX3b6TrsPlX382SOju9xLqdHEsW1wvvyqLQKA1uJ1hdxySA 3+712gwdetOE9nmFjiL6cE9+iKPyPE9wlsIe9SfcfzRnbHAt04Pvu6ST6MQGhhRhHcz7JocPBa7 5Rhl X-Google-Smtp-Source: AGHT+IErlGNWrH7vYKwgFiHCswaYtuIEXwo/Lwgol4+NeYcPjiP/F/z9Le4ObSvAv4J8YVpwqljjgG/dyWbkYAwAJRY= X-Received: by 2002:a05:6820:222a:b0:659:9a49:90be with SMTP id 006d021491bc7-65b2ad11b62mr463885eaf.61.1765327129998; Tue, 09 Dec 2025 16:38:49 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a8a:10ce:0:b0:605:77c0:3972 with HTTP; Tue, 9 Dec 2025 16:38:49 -0800 (PST) In-Reply-To: References: From: "David G. Johnston" Date: Tue, 9 Dec 2025 17:38:49 -0700 X-Gm-Features: AQt7F2rsRqv3aWQaYF3hUAQsxWJYmwvH-g05MRVVIfIX6_-Lc9UvEAk4678BV8U Message-ID: Subject: Re: database specific pg_read_all_data / pg_write_all_data To: richard coleman Cc: Pgsql-admin Content-Type: multipart/alternative; boundary="0000000000007ef99306458e40bb" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000007ef99306458e40bb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tuesday, December 9, 2025, richard coleman wrote: > In PostgreSQL 16+ the built in roles such as pg_read_all_data > and pg_write_all_data are a welcome addition to permission setting in > PostgreSQL. > > Unfortunately they appear to be server-wide roles. > > Woud it be possible to have roles like these that are database specific? > You can have roles that are database-specific; which then means those roles can only apply the =E2=80=9Call data=E2=80=9D privileges within the d= atabase they are permitted access to. David J. --0000000000007ef99306458e40bb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tuesday, December 9, 2025, richard coleman <rcoleman.ascentgl@gmail.com> wrote:
In PostgreSQL 16+ the built in rol= es such as=C2=A0pg_read_all_data and=C2=A0pg_write_all_data are a welcome a= ddition to permission setting in PostgreSQL.

Unfortunate= ly they appear to be server-wide roles.

Woud it be= possible to have roles like these that are database specific?
<= /blockquote>

=C2=A0You can have roles that are database-= specific; which then means those roles can only apply the =E2=80=9Call data= =E2=80=9D privileges within the database they are permitted access to.

David J.

--0000000000007ef99306458e40bb--