|
Erik,
Instead of going thru second database db2 which is giving any object creation privilege, I may just stay with single databse db1 with second user u2 with full privilege in this schema s2. That way I do not need to provide additional resource of the database
db2.
My idea is to not to give any privilege other than CREATE VIEWs to u2.
Thanks,
Sarwar
From: Erik Wienhold <ewie@xxxxxxxxx>
Sent: Thursday, May 4, 2023 5:08 AM To: M Sarwar <sarwarmd02@xxxxxxxxxxx>; pgsql-admin@xxxxxxxxxxxxxxxxxxxx <pgsql-admin@xxxxxxxxxxxxxxxxxxxx> Subject: Re: Just View create privilege to user user2 > On 04/05/2023 01:07 CEST M Sarwar <sarwarmd02@xxxxxxxxxxx> wrote:
> > I want user u2 to have only CREATE VIEW privilege in schema s2. I do not want > u2 to create any other type of objects in s2 schema. You can setup a second database db2 just for u2 and have them access your database db1 via foreign tables. u2 still only has the SELECT privilege in db1 but can create objects in db2 and mess it up as they see fit. If you go with a single database and event triggers as Tom wrote you must also consider function security[0]. Otherwise u2 can override relations in s1 just by creating compatible views in s2 and set search_path=s2,s1. u2 can thus inject data into functions that have no explicit search_path. [0] https://na01.safelinks.protection.outlook.com/?url=""> -- Erik |
