> On Aug 7, 2020, at 12:45 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > > If I'm reading this correctly, you have set things up so that any > session logging in as akanzler will immediately do "SET ROLE > confidential_read_only", after which it's the privileges of that > role not akanzler that determine what happens. YES, confidential_read_only has privs on everything *except* individual user's schemas, and rolinherit was accidentally set, that would certainly seem to be the problem. But I turned that off, and it still doesn't work--even in a new connection.
