Participants
Miles Elam
Miles Elam
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Miles ElamMiles Elam
Sep 11, 2019
#2Tom LaneTom Laneto Miles Elam (#1)
Sep 11, 2019
#3Miles ElamMiles Elamto Tom Lane (#2)
Sep 11, 2019

REVOKE DROP rights

Started by Miles Elamover 6 years ago3 messagesgeneral
Jump to latest
#1Miles Elam
Miles Elam
miles.elam@productops.com

Is there any way to prevent a user from dropping a table when that user has
create rights? I'd like to allow that user to be able to create and delete
their own tables but not specific shared tables.

Is the only way to put the shared tables into a different schema?

Thanks in advance

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Miles Elam (#1)
Re: REVOKE DROP rights

Miles Elam <miles.elam@productops.com> writes:

Is there any way to prevent a user from dropping a table when that user has
create rights? I'd like to allow that user to be able to create and delete
their own tables but not specific shared tables.

I think maybe you didn't read the manual closely. Creation privileges
cover the right to create an object (in a given database or
schema), but only the creator/owner has the right to drop a particular
object once it exists.

We do grant the owner of a schema or database the right to drop objects
within it, since they could surely achieve that result by dropping the
whole schema or database. But merely having create privilege doesn't
extend to that.

So basically you want a shared schema that is owned by some trusted
role, and your less-trusted roles have create (and usage!) on that
schema.

regards, tom lane

#3Miles Elam
Miles Elam
miles.elam@productops.com
In reply to: Tom Lane (#2)
Re: REVOKE DROP rights

Makes sense. Thanks!

On Wed, Sep 11, 2019 at 1:43 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Show quoted text

Miles Elam <miles.elam@productops.com> writes:

Is there any way to prevent a user from dropping a table when that user

has

create rights? I'd like to allow that user to be able to create and

delete

their own tables but not specific shared tables.

I think maybe you didn't read the manual closely. Creation privileges
cover the right to create an object (in a given database or
schema), but only the creator/owner has the right to drop a particular
object once it exists.

We do grant the owner of a schema or database the right to drop objects
within it, since they could surely achieve that result by dropping the
whole schema or database. But merely having create privilege doesn't
extend to that.

So basically you want a shared schema that is owned by some trusted
role, and your less-trusted roles have create (and usage!) on that
schema.

regards, tom lane

← Back to Topics