Participants
Don Parris
Don Parris
Tom Lane
Tom Lane
Melvin Davidson
Melvin Davidson
Attachments
Show all attachments
Thread Outline
#1...#2
Don ParrisTom Lane
Jan 09, 2016
#1Don ParrisDon Parris
Jan 09, 2016
#2Tom LaneTom Laneto Don Parris (#1)
Jan 09, 2016
#3...#4
Melvin DavidsonDon Parris
to Tom Lane (#2)
Jan 09, 2016
#3Melvin DavidsonMelvin Davidsonto Tom Lane (#2)
Jan 09, 2016
#4Don ParrisDon Parristo Melvin Davidson (#3)
Jan 10, 2016
#5Don ParrisDon Parristo Tom Lane (#2)
Jan 10, 2016

Schemas, Roles & Search Path

Started by Don Parrisabout 10 years ago5 messagesgeneral
Jump to latest
#1Don Parris
Don Parris
parrisdc@gmail.com

Hi all,

I just want to check my understanding of schemas, search paths and roles in
implementing my database design.

Scenario:
A database with various "modules" (groups of tables & views, etc.), some of
which are shared in common across a given organization, but others are
specific to a given department within the organization. I am thinking to
use schemas for the department-specific modules. So, for example:
Schema COMMON module: contains relations for categories, contacts and a few
other items.
FACILITIES module: contains relations for facility management department,
which includes the physical security team.
HR module: HR-specific relations
ACCOUNTING module: Accounting relations - but other departments need access
to certain accounting functions.
The relations within each schema still need appropriate privilege settings,
of course.

I would use group and user roles to manage privileges throughout the
database, so:
Group roles for HR, Accounting, Facilities, Sales, etc.
User roles assigned to appropriate group roles

I *think* I want to set the search path on the group roles so that the
Facilities team can see the COMMON and FACILITIES schemas:

ALTER ROLE fm_users search_path=common, facilities, accounting;

Or do I need to set the search path for each user individually?

ALTER ROLE joe SET search_path=common, facilities, accounting;

I don't see any references to setting the search_path for group roles, so I
assume I need to set this at the user role level. Is that correct?

My thinking on the design could be off base, but I think this is the
general approach I want.

Thanks!
--
D.C. Parris, FMP, Linux+, ESL Certificate
Minister, Security/FM Coordinator, Free Software Advocate
http://dcparris.net/ <https://www.xing.com/profile/Don_Parris&gt;
<http://www.linkedin.com/in/dcparris&gt;
GPG Key ID: F5E179BE

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Don Parris (#1)
Re: Schemas, Roles & Search Path

Don Parris <parrisdc@gmail.com> writes:

I *think* I want to set the search path on the group roles so that the
Facilities team can see the COMMON and FACILITIES schemas:
ALTER ROLE fm_users search_path=common, facilities, accounting;

Or do I need to set the search path for each user individually?
ALTER ROLE joe SET search_path=common, facilities, accounting;

The latter. A session only absorbs ALTER ROLE SET settings for the
exact role you're logging in as. (Otherwise there would be a need
for a conflict resolution rule, and it's pretty hard to see how that
would work in general for arbitrary settings.) Role "inheritance"
applies to granted privileges only.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#3Melvin Davidson
Melvin Davidson
melvin6925@gmail.com
In reply to: Tom Lane (#2)
Re: Schemas, Roles & Search Path

Just a side note. the search_path only sets the priority for resolving
table locations
EG: First look in COMMON, then FACILITIES until the table name is found.

However, if you prefix the table name with the actual schema EG:
COMMON.table, then the table is located directly and search_path is not
needed.

Finally, it is NOT a good idea to use UPPERCASE or CamelCase for object
names in PostgreSQL, as PostgreSQL will naturally assume lowercase for all
objects
unless they are quoted. So probably you want schema names to be common,
facilities, etc.

On Sat, Jan 9, 2016 at 10:22 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Don Parris <parrisdc@gmail.com> writes:

I *think* I want to set the search path on the group roles so that the
Facilities team can see the COMMON and FACILITIES schemas:
ALTER ROLE fm_users search_path=common, facilities, accounting;

Or do I need to set the search path for each user individually?
ALTER ROLE joe SET search_path=common, facilities, accounting;

The latter. A session only absorbs ALTER ROLE SET settings for the
exact role you're logging in as. (Otherwise there would be a need
for a conflict resolution rule, and it's pretty hard to see how that
would work in general for arbitrary settings.) Role "inheritance"
applies to granted privileges only.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

--
*Melvin Davidson*
I reserve the right to fantasize. Whether or not you
wish to share my fantasy is entirely up to you.

#4Don Parris
Don Parris
parrisdc@gmail.com
In reply to: Melvin Davidson (#3)
Re: Schemas, Roles & Search Path

On Sat, Jan 9, 2016 at 11:16 AM, Melvin Davidson <melvin6925@gmail.com>
wrote:

Just a side note. the search_path only sets the priority for resolving
table locations
EG: First look in COMMON, then FACILITIES until the table name is found.

However, if you prefix the table name with the actual schema EG:
COMMON.table, then the table is located directly and search_path is not
needed.

Melvin, thanks for that - confirms what I understand about schemas.

Finally, it is NOT a good idea to use UPPERCASE or CamelCase for object
names in PostgreSQL, as PostgreSQL will naturally assume lowercase for all
objects
unless they are quoted. So probably you want schema names to be common,
facilities, etc.

Thanks. I was just capitalizing for the e-mail. I never actually use
upper or camel case in my code.

On Sat, Jan 9, 2016 at 10:22 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Don Parris <parrisdc@gmail.com> writes:

I *think* I want to set the search path on the group roles so that the
Facilities team can see the COMMON and FACILITIES schemas:
ALTER ROLE fm_users search_path=common, facilities, accounting;

Or do I need to set the search path for each user individually?
ALTER ROLE joe SET search_path=common, facilities, accounting;

The latter. A session only absorbs ALTER ROLE SET settings for the
exact role you're logging in as. (Otherwise there would be a need
for a conflict resolution rule, and it's pretty hard to see how that
would work in general for arbitrary settings.) Role "inheritance"
applies to granted privileges only.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

--
*Melvin Davidson*
I reserve the right to fantasize. Whether or not you
wish to share my fantasy is entirely up to you.

--
D.C. Parris, FMP, Linux+, ESL Certificate
Minister, Security/FM Coordinator, Free Software Advocate
http://dcparris.net/ <https://www.xing.com/profile/Don_Parris&gt;
<http://www.linkedin.com/in/dcparris&gt;
GPG Key ID: F5E179BE

#5Don Parris
Don Parris
parrisdc@gmail.com
In reply to: Tom Lane (#2)
Re: Schemas, Roles & Search Path

On Sat, Jan 9, 2016 at 10:22 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Don Parris <parrisdc@gmail.com> writes:

I *think* I want to set the search path on the group roles so that the
Facilities team can see the COMMON and FACILITIES schemas:
ALTER ROLE fm_users search_path=common, facilities, accounting;

Or do I need to set the search path for each user individually?
ALTER ROLE joe SET search_path=common, facilities, accounting;

The latter. A session only absorbs ALTER ROLE SET settings for the
exact role you're logging in as. (Otherwise there would be a need
for a conflict resolution rule, and it's pretty hard to see how that
would work in general for arbitrary settings.) Role "inheritance"
applies to granted privileges only.

regards, tom lane

Thanks Tom, that helps!

Don
--
D.C. Parris, FMP, Linux+, ESL Certificate
Minister, Security/FM Coordinator, Free Software Advocate
http://dcparris.net/ <https://www.xing.com/profile/Don_Parris&gt;
<http://www.linkedin.com/in/dcparris&gt;
GPG Key ID: F5E179BE

← Back to Topics