In PostgreSQL 10 - when using an "owner user" (login role owning a schema and all tables, not used by the application at runtime) and a "runtime" user I can GRANT Select/Update/Delete permissions on all existing tables in the schema to the runtime user:
GRANT SELECT ON ALL TABLES IN SCHEMA owner TO runtime;
But this only applies to existing objects and not new tables which might get created later on.
Is there a way to avoid granting on all new objects by way of inheriting roles or schema permissions or similar?
1 Answer 1
Yes. The key word is DEFAULT PRIVILEGES.
ALTER DEFAULT PRIVILEGES FOR ROLE owner_user IN SCHEMA owner
GRANT SELECT ON TABLES TO runtime;
Grants the specifies privileges for all specified objects created in the future, by the specified role to the other specified role.
I specified the target_role (owner_user) explicitly to avoid ambiguity. Else, quoting the manual:
If
FOR ROLEis omitted, the current role is assumed.
Related:
- Grant all on a specific schema in the db to a group role in PostgreSQL
- How to manage DEFAULT PRIVILEGES for USERs on a DATABASE vs SCHEMA?
And don't forget access to sequences if you have any serial columns. The first linked answer has instructions.
-
Thanks thats what I was looking for. from the documentaiotn lionk I can see that I could also skip "FOR owner_user" and it would apply to all entries in the schema.eckes– eckes2018年08月03日 13:55:23 +00:00Commented Aug 3, 2018 at 13:55
-
1@eckes: That's a misunderstanding. See clarification above.Erwin Brandstetter– Erwin Brandstetter2018年08月03日 14:21:30 +00:00Commented Aug 3, 2018 at 14:21
-
1@eckes: BTW, pgAdmin III has a bug, displaying the
FOR target_userclause incorrectly. Details: postgresql.org/message-id/flat/… You are not the first to be confused by this. :)Erwin Brandstetter– Erwin Brandstetter2018年08月03日 14:28:15 +00:00Commented Aug 3, 2018 at 14:28
Explore related questions
See similar questions with these tags.