public inbox for [email protected]help / color / mirror / Atom feed
Q: GRANT ... WITH ADMIN on PG 17 3+ messages / 2 participants [nested] [flat]
* Q: GRANT ... WITH ADMIN on PG 17 @ 2025-08-21 15:36 Karsten Hilbert <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Karsten Hilbert @ 2025-08-21 15:36 UTC (permalink / raw) To: [email protected] Dear all, PG 17 documentation says that using "WITH ADMIN" allows the role being added to another group role to grant/revoke membership in said group to other roles. Does this imply that an ADMIN role _must_ itself be a member of the group role it is to maintain membership of ? The question arises from a scenario where a DBA role would not need to be a member of a clinical group role but would be intended to maintain membership of clinical user roles within that group role. From a security point of view the question might be moot because an ADMIN role could always grant itself membership in the group role -- but it feels wrong for reasons of theoretical "correctness". IOW: - gm-dbo: user role for a DBA admin (not! superuser) - gm-bones: user role for a LLAP doctor - gm-doctors: group role for doctors, upon which are resting access permissions for clinical data - gm-bones is to be a member of gm-doctors in order to access clinical data - gm-dbo is intended to manage membership of gm-bones in gm-doctors - however, gm-dbo need not itself be a member of gm-doctors Is that possible within the current (as of PG 17) framework ? Thanks, Karsten -- GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Q: GRANT ... WITH ADMIN on PG 17 @ 2025-08-21 15:46 Adrian Klaver <[email protected]> parent: Karsten Hilbert <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Adrian Klaver @ 2025-08-21 15:46 UTC (permalink / raw) To: Karsten Hilbert <[email protected]>; [email protected] On 8/21/25 08:36, Karsten Hilbert wrote: > Dear all, > > PG 17 documentation says that using "WITH ADMIN" allows the > role being added to another group role to grant/revoke > membership in said group to other roles. I would start by reading this: https://rhaas.blogspot.com/2023/01/surviving-without-superuser-coming-to.html > > Thanks, > Karsten -- Adrian Klaver [email protected] ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Q: GRANT ... WITH ADMIN on PG 17 @ 2025-08-21 15:59 Karsten Hilbert <[email protected]> parent: Adrian Klaver <[email protected]> 0 siblings, 0 replies; 3+ messages in thread From: Karsten Hilbert @ 2025-08-21 15:59 UTC (permalink / raw) To: Adrian Klaver <[email protected]>; +Cc: [email protected] Am Thu, Aug 21, 2025 at 08:46:00AM -0700 schrieb Adrian Klaver: > >PG 17 documentation says that using "WITH ADMIN" allows the > >role being added to another group role to grant/revoke > >membership in said group to other roles. > > I would start by reading this: > > https://rhaas.blogspot.com/2023/01/surviving-without-superuser-coming-to.html Thanks, I did, but did not find the answer to: Is there a way for a role that can manage membership in a group role to not itself be a member of that group role ? Best regards, Karsten -- GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B ^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2025-08-21 15:59 UTC | newest] Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2025-08-21 15:36 Q: GRANT ... WITH ADMIN on PG 17 Karsten Hilbert <[email protected]> 2025-08-21 15:46 ` Adrian Klaver <[email protected]> 2025-08-21 15:59 ` Karsten Hilbert <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox