Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s5HxI-004UAD-FI for pgsql-general@arkaria.postgresql.org; Fri, 10 May 2024 04:34:00 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s5HxE-00CRXT-Qn for pgsql-general@arkaria.postgresql.org; Fri, 10 May 2024 04:33:57 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s5HxE-00CRXJ-Dg for pgsql-general@lists.postgresql.org; Fri, 10 May 2024 04:33:56 +0000 Received: from mail-qk1-x72d.google.com ([2607:f8b0:4864:20::72d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s5HxA-000I9E-Dj for pgsql-general@lists.postgresql.org; Fri, 10 May 2024 04:33:56 +0000 Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-78ecd752a7cso108763785a.0 for ; Thu, 09 May 2024 21:33:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715315631; x=1715920431; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Frlt/JCDp28N32tl41AJadITFzsjh5OW2Y68I3BZWQw=; b=G9zg2yfvkbzq1x1tar3JkzY2WDAuLOZMzD73T2WwC5S72ivoZcdYiEI5y/2BO20Gll m3YSzruhnQa+ASyxDFsYLyyBSngTVEgsmhWeA5HvqaL0zXtfexqMOIIfaGwZwmFuqvp5 J9J1+oJC2hRwSOeeImr6FKXWg38J7QuiWXaDcAqOTPbJ8n3pigAG56DGFxCEoCZChGtX Hz6M+A7dQbhrUQxw1SY6/0uI1vmGyJGPEHAW2wPNZuzOstHmAr+vGHw38Gkg/+iOLWqK 3wsOXmu1wakcGeozXo5GfGfkt/QySZejPhC3zLZTkG2KjbLs0cRZpOIY3HfzXv0LcAmC zebQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715315631; x=1715920431; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Frlt/JCDp28N32tl41AJadITFzsjh5OW2Y68I3BZWQw=; b=U0gOWb593Hc2bW1qxJo+E3Ud5Ten36Nld6X/sVRAqnurx5C3JqtJo3DbK/9uMEv4qv abAwaDSYYuJaHo1et7ledJLSDjwx6D2hE8p8j3NL5vF7VrRGK/ocRFqviX53/uCJBDnX CN4yF8ztt0AD00ty9GVDuyUJxEMH1Ou4kWpGAd4k29VsZ1H6kee3wh2y1p40TIBukTjA x02fLvWo5zDtH2G2imFjaS1PuzJRwAou4o3h+ufeYy8Y8Hm8I9vdXNCsVIucfeN/hpsL xew5dW+gTQ1BKY9AuAdB1bt0E7eoE4lG7dpz7A+5XmtXSVlkjzRUQ6uLByn+WvyLASav dCag== X-Gm-Message-State: AOJu0YxTf+p10Aqr5Qsf5U4Iq1wTrdnWuk35nRTzPKE7pHcFgbJ/9ncZ d0xgx+twoOLMxTs2772FXEfqbI8w68wchD4lsJYIEEvm/Ebx1w++MQCWBHMXs8Ehc/sd9BokX6v J6DtT3AATBH1s9mLqLs9v4mbd6eZ62BEhWEo= X-Google-Smtp-Source: AGHT+IFziy6BpUvs/L0BIEbwMionqCVPioeKFsGfYwi75A7ZJkO0wMsTMRw2HCQGK7Y68EUBnmOvIgPP+DV90i8ddJE= X-Received: by 2002:a05:6214:5788:b0:6a0:7a42:128a with SMTP id 6a1803df08f44-6a1680bc1ddmr15656306d6.0.1715315631085; Thu, 09 May 2024 21:33:51 -0700 (PDT) MIME-Version: 1.0 From: yudhi s Date: Fri, 10 May 2024 10:03:40 +0530 Message-ID: Subject: Question on roles and privileges To: pgsql-general Content-Type: multipart/alternative; boundary="000000000000de5ef90618120a30" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000de5ef90618120a30 Content-Type: text/plain; charset="UTF-8" Hello All, We want to make sure to keep minimal privileges for the users based on their roles and responsibility. We have one user group who will be working on analyzing/debugging into performance issues in the databases. Basically this group will be operating on extensions like apg_plan_management, pg_hint_plan, auto_explain, plprofiler, pg_repack. So these extensions will already be installed for the group, but they will just need to use those appropriately. For example pg_hint_plan will not need any write privilege because the user just has to put the hint in the query and run it to see any performance variation. So like that , what kind of minimal privileges will each of these extensions need to make them work for this performance group? Basically if any of these will need write privilege or all works can be performed using Readonly roles/privilege only? And I understand pg_monitor role wraps up most of the key read only privileges within it to work on performance issues and also its a readonly privilege only. So I wanted to know from experts here , if it's true and pg_monitor role will suffice for all the above work? Regards Yudhi --000000000000de5ef90618120a30 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello All,
We want to make sure to keep minimal privil= eges for the users based on their roles and responsibility. We have one use= r group who will be working on analyzing/debugging into performance issues = in the databases. Basically this group will be operating on extensions like= apg_plan_management, pg_hint_plan, auto_explain, plprofiler, pg_repack. So= these extensions will already be installed for the group, but they will ju= st need to use those appropriately. For example pg_hint_plan will not need = any write privilege because the user just has to put the hint in the query = and run it to see any performance variation.

So like that , what kin= d of minimal privileges will each of these extensions need to make them wor= k for this performance group? Basically if any of these will need write pri= vilege or all works can be performed using Readonly roles/privilege only?

And I understand pg_monitor role wraps up most of the key read= only privileges within it to work on performance issues and also its a rea= donly privilege only. So I wanted to know from experts here , if it's t= rue and pg_monitor role will suffice for all the above work?

Regards
Yudhi
--000000000000de5ef90618120a30--