Greetings, * David G. Johnston (david.g.johnston@xxxxxxxxx) wrote: > On Fri, Feb 16, 2018 at 7:56 AM, Durumdara <durumdara@xxxxxxxxx> wrote: > > > I want to know what happened in the background. > > I will make "negative" state if I revoke DefACL without prior grant? > > Not really following the whole thread but figured I'm comment on this > point that confused me in the past as well. > > Not sure if this is what you mean but there is no concept of "negative > state" in the permissions system. Everything starts out with no > permissions. Grant adds permissions and revoke un-adds granted > permissions. Revoking something that doesn't exist is either a no-op or a > warning depending on the context - either way its doesn't setup a > "forbidden" state for the permission. This isn't entirely correct. Functions are the classic example where EXECUTE to PUBLIC is part of the default and the "negative" state of having a function where EXECUTE is REVOKE'd from PUBLIC is entirely reasonable and even common. Further, object owners also have a default set of privileges which can be revoked from them, and that's true of basically all objects. > Revoking/granting on default ACLs never affects already existing objects. Right, to change existing ACLs one would use GRANT ON ALL or individual GRANT statements. Thanks! Stephen
Attachment:
signature.asc
Description: PGP signature
