On 8/7/20 12:27 PM, Scott Ribe wrote:
On Aug 7, 2020, at 1:08 PM, Adrian Klaver <adrian.klaver@xxxxxxxxxxx> wrote:
"Using this command, it is possible to either add privileges or restrict one's privileges. If the session user role has the INHERIT attribute, then it automatically has all the privileges of every role that it could SET ROLE to; in this case SET ROLE effectively drops all the privileges assigned directly to the session user and to the other roles it is a member of, leaving only the privileges available to the named role. On the other hand, if the session user role has the NOINHERIT attribute, SET ROLE drops the privileges assigned directly to the session user and instead acquires the privileges available to the named role.
"
So it would only have removed privs if I had used set role in the session, which I am not.
See Tom's answer. To confirm do:
SELECT
s.setdatabase,
s.setrole,
rolname,
s.setconfig,
rolname
FROM
pg_db_role_setting AS s
JOIN pg_roles AS r ON r.oid = s.setrole;
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx