Rob Sargent <robjsargent@xxxxxxxxx> writes: >> On Sep 20, 2019, at 6:15 AM, Tim Clarke <tim.clarke@xxxxxxxxxxxx> wrote: > On 20/09/2019 12:50, David Gallagher wrote: >>> ... would it make sense to have a user account on the database >>> to mirror the user account from the web app? Is that an unusual practice? >> Not at all, we're doing it > But you likely want a many-to-one mapping of actual user to permission group Yeah. You're likely to end up with a *lot* of user accounts in this scenario. There is a restriction on how many distinct GRANTs you can issue against any one object --- performance will get bad if the ACL list gets too large. However, you can add lots of users to any group role. So put the users into appropriate group(s) and issue database permissions on the group level. regards, tom lane
