Clarification for schema and schema object privileges

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ian Barwick <[email protected]>
To: [email protected]
Subject: Clarification for schema and schema object privileges
Date: Tue, 14 Jul 2015 12:24:46 +0900
Message-ID: <[email protected]> (raw)
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgsql-docs>

Hi

One "gotcha" that crops up from time to time is that it's possible to grant
privileges on objects in a particular schema to a user other than the schema
owner, giving the impression that the user now has those privileges, but if usage on
the schema itself hasn't been granted, the privileges are of course
ineffective. I think it would be worth highlighting this in the documentation
as this seems easy to overlook; suggested patch attached.


Regards

Ian Barwick

-- 
 Ian Barwick                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services


-- 
Sent via pgsql-docs mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs


Attachments:

  [text/x-patch] doc-schema-privilege.patch (764B, 2-doc-schema-privilege.patch)
  download | inline diff:
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
new file mode 100644
index 0aa0c13..c706374
*** a/doc/src/sgml/ddl.sgml
--- b/doc/src/sgml/ddl.sgml
*************** SELECT 3 OPERATOR(pg_catalog.+) 4;
*** 2108,2113 ****
--- 2108,2121 ----
      might need to be granted, as appropriate for the object.
     </para>
  
+    <warning>
+     <para>
+      While it's possible to grant privileges on individual objects
+      within a schema to a user, these privileges will remain ineffective
+      until the <literal>USAGE</literal> privilege on the schema is granted.
+     </para>
+    </warning>
+ 
     <para>
      A user can also be allowed to create objects in someone else's
      schema.  To allow that, the <literal>CREATE</literal> privilege on

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: Clarification for schema and schema object privileges
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox