Greetings, * Ivan Voras (ivoras@xxxxxxxxx) wrote: > On 30 October 2017 at 22:10, David G. Johnston <david.g.johnston@xxxxxxxxx> > wrote: > > Not quite following but ownership is an inheritable permission; > > Basically, I'm asking if "ownership" can be revoked from the set of > inherited permissions? If there is a role G which is granted to role A, and > G is the owner of a database, can A be made to not be able to do what only > owners can (specifically in this case, drop databases)? No, that's exactly what role membership means- you have the same rights as the other role. > > and even if it was not SET ROLE is all that would be required. Any owner > > can drop an object that it owns. > > It's kind of the reverse: I'm wondering if ownership can be made > un-inheritable. No, because even if ownership wasn't inheritable the user would simply do 'SET ROLE owner;' and then have all of the ownership rights that way. > Just considering the case of dropping databases for now. I.e. let the > developers do everything except that. It's a start. I think you're assuming far too much about what being a database owner means- I'd suggest you really think about why the developers need to be database owners at all; in other words- what's the *other* privilege that's currently only available to database owners that you need developers to be able to do? I have a hunch that it might be GRANT'ing rights on the database, but there's only a couple such rights (eg: CONNECT) and you might be better off managing those in another way. Thanks! Stephen
Attachment:
signature.asc
Description: Digital signature
