Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1vT6TH-00CsdI-1u
	for pgsql-admin@arkaria.postgresql.org;
	Tue, 09 Dec 2025 22:46:15 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1vT6TG-007yMu-0P
	for pgsql-admin@arkaria.postgresql.org;
	Tue, 09 Dec 2025 22:46:14 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1vT6TF-007yMm-2V
	for pgsql-admin@lists.postgresql.org;
	Tue, 09 Dec 2025 22:46:14 +0000
Received: from mail-oi1-x22b.google.com ([2607:f8b0:4864:20::22b])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1vT6TD-004803-2V
	for pgsql-admin@lists.postgresql.org;
	Tue, 09 Dec 2025 22:46:13 +0000
Received: by mail-oi1-x22b.google.com with SMTP id
 5614622812f47-450063be247so2790772b6e.2
        for <pgsql-admin@lists.postgresql.org>;
 Tue, 09 Dec 2025 14:46:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765320369; x=1765925169;
 darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=8cbyfAjKpsxUe+7urQHxfo8kz38kbtbJxN00PW5WRic=;
        b=f2xQJ+zi7JUGIY8knn+O1khk5oU8Je1nh91AuCXWZOVCUyKR65IZWD4YWAg1/nj/zm
         +xerGU3d4qpsI5Fo7sf7caicJ3FypSNK2GpfghgHl+5Br01RXe+KwOhA9g4DQ3/Tjcqw
         eVQIzj9p+MNU7afT1eD5ZttUZnEx6OP5Zhsxij761JVjyqR7kX9t+eE5OhjH9DjkxHUT
         1L7T318wNKjkcR58B2nyc+yxLIjgXnGi09kEX1xuNpJMcJAalaWE7Q8NyVqlIa24cHGG
         nLvonusm1e/xtlR/m1nJ0zL3VhkC6U0xuGiL2VhrNhlqrOds+/GVC3tjbbiwy1uZNpsJ
         o4lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765320369; x=1765925169;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8cbyfAjKpsxUe+7urQHxfo8kz38kbtbJxN00PW5WRic=;
        b=gdjTuEqYhgQupV8qa/9We6UyNmP8YXBp+zVCJQkSzWbBGgNGqCyInPRTZmaQBGw5CM
         C/hqP/zldKl+zQkOXziP9/h1Tf3nf/EOroLm4m7JRGS+uXnk2MkhDr8ivhdAWXewCTia
         c12M3mLr3+MGrp0KmHxG5ex9COnoprI8zcKAcEgK6xhUDE+0D+YASVbcgpHSwk9bIdRq
         nQni5DIKSjLd0E6z0yqorL1pIi0pRqn6H7upswP2AMg2fD1QkUZ2OqH3V+xlCUOJkzU+
         K+/lPaxf9HhvlQY3XaJafM0eJWiOKmeOa30V6ILI87p6ljdIOvZdo8m/WdhUKHNDpCBx
         E/sg==
X-Gm-Message-State: AOJu0YwcKryYRzKWxgGlkfzZUpkaMVj4AUiaaCFbOdJy+Go8d61TEF6y
	LooHnwsskwIBDRfs3uzpa2Jjq6hqa0uUFrqHiTkwpHSjUul3YOPR0Tb6BGFE6Ihu2U6jzsdYLsJ
	PfeiiF2DpeIXZDSUrsSR782EWvmQeZtYOyMPb
X-Gm-Gg: ASbGnctwUCjps3CgqEVwBK2ih2xnbdZZGirH+SA3zd8uvCKlV//40pFdEMzzP/cWsCm
	zbN8cSxqow3DG5HcEVjdZF5l9a6FdwzsqTSzK6l7CqBr8U6CIVyNFP2OK3H5Pkny9jxqP1TJtdx
	CFaEDGXTetMNSCqf67mbMhNQc8Wu4hl88+r7TTwN1vKtXOPmgQtpTTWkFhmK4phds9lVxJKhS3p
	WtbhuYn6iWqrCsP3JKw7lpfvUFkIarW8rwWqCmgAUxkDbNd6fZtkIWHU6MkZa7vWPTbC6LVirgZ
	qTfdCv4=
X-Google-Smtp-Source: 
 AGHT+IHUPAweS0e/43GquugVMLpCVHkiDbZ8GcC+8wPD8v6prY7cJ6cCfwOXbwnPbBHMffr0kjfDu2CGXSVDoNcD8ag=
X-Received: by 2002:a05:6808:1787:b0:453:7cb1:871d with SMTP id
 5614622812f47-45586529eb2mr324517b6e.52.1765320369373; Tue, 09 Dec 2025
 14:46:09 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAGA3vBug6Sq_XYLxzmY470WFS6Z3OF28goYzX=QHrCc4hgQSDw@mail.gmail.com>
In-Reply-To: 
 <CAGA3vBug6Sq_XYLxzmY470WFS6Z3OF28goYzX=QHrCc4hgQSDw@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Tue, 9 Dec 2025 17:45:58 -0500
X-Gm-Features: AQt7F2r5NGWyD2Xo4qmmWHloiEub-6GefUEUvD9ekkQ7CH1Ox48zdmnC_x3bkJ0
Message-ID: 
 <CANzqJaA8JTM1V_+9ACXGWjbCYYu_hio5EA-=2ne_7jmmhw31FQ@mail.gmail.com>
Subject: Re: database specific pg_read_all_data / pg_write_all_data
To: Pgsql-admin <pgsql-admin@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000088069706458cad2d"
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/CANzqJaA8JTM1V_%2B9ACXGWjbCYYu_hio5EA-%3D2ne_7jmmhw31FQ%40mail.gmail.com>
Precedence: bulk

--00000000000088069706458cad2d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 9, 2025 at 4:13=E2=80=AFPM richard coleman <rcoleman.ascentgl@g=
mail.com>
wrote:

> In PostgreSQL 16+ the built in roles such as pg_read_all_data
> and pg_write_all_data are a welcome addition to permission setting in
> PostgreSQL.
>
> Unfortunately they appear to be server-wide roles.
>
> Woud it be possible to have roles like these that are database specific?
>
> If there are 100 databases on a server, it would be extremely helpful to
> be able to do something like:
>
> *grant *pg_read_all_data* on database *foo* to *user_role*;*
>
> Otherwise these roles are unusable from a practical stand point on server=
s
> with multiple unrelated databases.
>

How about
ALTER DEFAULT PRIVILEGES IN SCHEMA foo1, foo2, foo3, ... GRANT SELECT ON
ALL TABLE TO bar;

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--00000000000088069706458cad2d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Dec 9, 2025 at 4:13=E2=80=AFPM ri=
chard coleman &lt;<a href=3D"mailto:rcoleman.ascentgl@gmail.com">rcoleman.a=
scentgl@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote=
_container"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"l=
tr">In PostgreSQL 16+ the built in roles such as=C2=A0pg_read_all_data and=
=C2=A0pg_write_all_data are a welcome addition to permission setting in Pos=
tgreSQL.<div><br></div><div>Unfortunately they appear to be server-wide rol=
es.</div><div><br></div><div>Woud it be possible to have roles like these t=
hat are database specific?</div><div><br></div><div>If there are 100 databa=
ses on a server, it would be extremely helpful to be able to do something l=
ike:</div><div><br></div><div><b>grant </b>pg_read_all_data<b> on database =
</b>foo<b> to </b>user_role<b>;</b></div><div><br></div><div>Otherwise thes=
e roles are unusable from a practical stand point on servers with multiple =
unrelated databases.</div></div></blockquote><div><br></div><div></div></di=
v><div>How about=C2=A0</div><div>ALTER=C2=A0DEFAULT PRIVILEGES IN SCHEMA fo=
o1, foo2, foo3, ... GRANT SELECT ON ALL TABLE TO bar;</div><div><br></div><=
span class=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=
=3D"gmail_signature"><div dir=3D"ltr">Death to &lt;Redacted&gt;, and butter=
 sauce.<div>Don&#39;t boil me, I&#39;m still alive.<br><div><div>&lt;Redact=
ed&gt; lobster!</div></div></div></div></div></div>

--00000000000088069706458cad2d--