Participants
Schmid Andreas
Schmid Andreas
Laurenz Albe
Laurenz Albe
Attachments
Show all attachments
Thread Outline
#1Schmid AndreasSchmid Andreas
Mar 06, 2020
#2Laurenz AlbeLaurenz Albeto Schmid Andreas (#1)
Mar 06, 2020

How to allow users to create and modify tables only in their own schemas, but with generic table owner

Started by Schmid Andreasabout 6 years ago2 messagesgeneral
Jump to latest
#1Schmid Andreas
Schmid Andreas
Andreas.Schmid@bd.so.ch

Hi List

I'd like to setup my database in a way that only a superuser may create schemas, then grants permission to a specific user to create tables inside this schema. This should work so far with GRANT CREATE ON SCHEMA ... TO user_a. However I want the table owner not to be the user that creates the tables. Instead the owner should rather be a generic role (e.g. table_owner), and the owner should be the same over all tables of the whole database. This would work, too, if I grant membership in role table_owner to all users that may create tables. (The users must issue a SET ROLE table_owner before creating tables.)

What I didn't achieve so far is making sure that user_a who created tables in schema_a cannot crete/modify tables of schema_b that were created by user_b. Do you see any way to achieve this, while still sticking to that generic owner role?

Thanks a lot for your thoughts.

Andy

#2Laurenz Albe
Laurenz Albe
laurenz.albe@cybertec.at
In reply to: Schmid Andreas (#1)
Re: How to allow users to create and modify tables only in their own schemas, but with generic table owner

On Fri, 2020-03-06 at 11:04 +0000, Schmid Andreas wrote:

I'd like to setup my database in a way that only a superuser may create schemas,
then grants permission to a specific user to create tables inside this schema.
This should work so far with GRANT CREATE ON SCHEMA ... TO user_a.
However I want the table owner not to be the user that creates the tables.
Instead the owner should rather be a generic role (e.g. table_owner), and the
owner should be the same over all tables of the whole database. This would work,
too, if I grant membership in role table_owner to all users that may create tables.
(The users must issue a SET ROLE table_owner before creating tables.)

Yes, that will work, but you have to SET ROLE before creating the table.

What I didn't achieve so far is making sure that user_a who created tables in schema_a
cannot crete/modify tables of schema_b that were created by user_b. Do you see any way
to achieve this, while still sticking to that generic owner role?

No, that is impossible.

But I don't understand the motivation: If you want that, why would you
want a "table_owner" role?
If you don't want user B to be able to drop user A's table, why don't
you have each user be the owner of his tables?

Yours,
Laurenz Albe

← Back to Topics