Received: from malur.postgresql.org ([217.196.149.56])
 by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from
 <pgsql-docs-owner+M8295=pgsql+2Ddocs=arkaria.postgresql.org@postgresql.org>)
 id 1ZEqq4-0005Yu-E1
 for pgsql-docs@arkaria.postgresql.org; Tue, 14 Jul 2015 03:25:00 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
 by malur.postgresql.org with smtp (Exim 4.84) (envelope-from
 <pgsql-docs-owner+M8295=pgsql+2Ddocs=arkaria.postgresql.org@postgresql.org>)
 id 1ZEqq3-00088x-SI
 for pgsql-docs@arkaria.postgresql.org; Tue, 14 Jul 2015 03:24:59 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
 by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
 (Exim 4.84) (envelope-from <ian@2ndquadrant.com>) id 1ZEqq2-00088N-SZ
 for pgsql-docs@postgresql.org; Tue, 14 Jul 2015 03:24:58 +0000
Received: from mail-qk0-f177.google.com ([209.85.220.177])
 by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.84) (envelope-from <ian@2ndquadrant.com>) id 1ZEqpy-0007xO-94
 for pgsql-docs@postgresql.org; Tue, 14 Jul 2015 03:24:57 +0000
Received: by qkdl129 with SMTP id l129so26295129qkd.0
 for <pgsql-docs@postgresql.org>; Mon, 13 Jul 2015 20:24:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :subject:content-type;
 bh=ahrdlUbxCtxGDGu6n6PkltotgrawoSRfLVzp6cga0wc=;
 b=FXKpGK2QhjhzHl7z3GZAXsFaCTWaFbftFmEsQw2idOWXHkiNAo1qXrDlVAljABoFeF
 qdbyh0evpJfDnO+bVxZlA+7qhHV77G7NJmP9TOfvpeYlM2CPmW10xQL7guLCL1+uqIrh
 VbWx1Xrf3Py8pkLemyhg+MhtLve+GobjtVD6Ovli+WrNKHZ44Kv/CtXxRn1IpvYHeKw4
 RnluiL9XQByqf77EGO2Qt5GP6cBwvTbtiVCYOCKjh8FujX0EK2llsx2Me+xAk/Fe+7vh
 ZBGf3VOT8//5jH27de8f6jxxGuD0e4IGSXNYRsSJhs/gVf1dgsiqspDNjgWte1HC+i+l
 6g7g==
X-Gm-Message-State: 
 ALoCoQmt/GwG2DuLtL+Jr0UdnCyQyaNfTHRR9UlqOtAWoFQKFgzxEoeQa9wxcbNeL8Ht2H5k2yPw2zcQlMCv763lmK2eipW3OgJpL10MXTrkCZqv4m3rzHS49nv/5+dz1fWTmJstV3RFh7LA8QQ0lW7EbuMEz/YOP88VcnS4AA23D+zOu9DVBOK/TeIv2cIlA+ADz+LU4Xs7
X-Received: by 10.140.91.66 with SMTP id y60mr58645071qgd.90.1436844291550;
 Mon, 13 Jul 2015 20:24:51 -0700 (PDT)
Received: from [192.168.1.2] (p1218-ipngn1801marunouchi.tokyo.ocn.ne.jp.
 [180.0.246.218])
 by smtp.gmail.com with ESMTPSA id 34sm4778097qkz.38.2015.07.13.20.24.49
 for <pgsql-docs@postgresql.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 13 Jul 2015 20:24:50 -0700 (PDT)
Message-ID: <55A480FE.1050302@2ndquadrant.com>
Date: Tue, 14 Jul 2015 12:24:46 +0900
From: Ian Barwick <ian@2ndquadrant.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: pgsql-docs@postgresql.org
Subject: Clarification for schema and schema object privileges
Content-Type: multipart/mixed; boundary="------------080909060805060605070605"
X-Pg-Spam-Score: -2.6 (--)
List-Archive: <http://archives.postgresql.org/pgsql-docs>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-docs.postgresql.org>
List-Owner: <mailto:pgsql-docs-owner@postgresql.org>
List-Post: <mailto:pgsql-docs@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-docs>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-docs>
X-Mailing-List: pgsql-docs
Precedence: bulk
Sender: pgsql-docs-owner@postgresql.org

This is a multi-part message in MIME format.
--------------080909060805060605070605
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Hi

One "gotcha" that crops up from time to time is that it's possible to grant
privileges on objects in a particular schema to a user other than the schema
owner, giving the impression that the user now has those privileges, but if usage on
the schema itself hasn't been granted, the privileges are of course
ineffective. I think it would be worth highlighting this in the documentation
as this seems easy to overlook; suggested patch attached.


Regards

Ian Barwick

-- 
 Ian Barwick                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

--------------080909060805060605070605
Content-Type: text/x-patch;
 name="doc-schema-privilege.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="doc-schema-privilege.patch"

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
new file mode 100644
index 0aa0c13..c706374
*** a/doc/src/sgml/ddl.sgml
--- b/doc/src/sgml/ddl.sgml
*************** SELECT 3 OPERATOR(pg_catalog.+) 4;
*** 2108,2113 ****
--- 2108,2121 ----
      might need to be granted, as appropriate for the object.
     </para>
=20=20
+    <warning>
+     <para>
+      While it's possible to grant privileges on individual objects
+      within a schema to a user, these privileges will remain ineffective
+      until the <literal>USAGE</literal> privilege on the schema is grante=
d.
+     </para>
+    </warning>
+=20
     <para>
      A user can also be allowed to create objects in someone else's
      schema.  To allow that, the <literal>CREATE</literal> privilege on

--------------080909060805060605070605
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs

--------------080909060805060605070605--