> On 03/06/2023 09:16 CEST Andrus <kobruleht2@xxxxxx> wrote: > > User groups table is defined as > > CREATE TABLE IF NOT EXISTS public.kaspriv > ( > id serial primary key, > user character(10) NOT NULL, > group character(35) NOT NULL > ... > ) > > There are hundreds of users. Earlier time grant and revoke commands were > executed for every user separately. Later revoke and grant commands for > public were added: > > REVOKE ALL ON TABLE public.kaspriv FROM PUBLIC; > GRANT SELECT ON TABLE public.kaspriv TO PUBLIC; > > pgAdmin SQL tab still shows revoke and grant commands for every user also: > > REVOKE ALL ON TABLE public.kaspriv FROM PUBLIC; > REVOKE ALL ON TABLE public.kaspriv FROM someuser; > REVOKE ALL ON TABLE public.kaspriv FROM someotheruser; > ... > GRANT SELECT ON TABLE public.kaspriv TO PUBLIC; > GRANT SELECT ON TABLE public.kaspriv TO someuser; > GRANT SELECT ON TABLE public.kaspriv TO someother; > ... > > How to remove those unnecessary user-specific GRANT and REVOKE commands to > make rights cleaner? pgAdmin does not have delete option for those. When you run REVOKE SELECT ON TABLE public.kaspriv FROM someuser; does it also remove the accompanying REVOKE ALL statement for that user? That REVOKE SELECT should remove the ACL for someuser from pg_class.relacl and pgAdmin should no longer find any ACL for that role and thus no longer emit REVOKE ALL. > Something like > > DROP REVOKE ALL ON TABLE public.kaspriv FROM all EXCEPT public; > DROP GRANT SELECT ON TABLE public.kaspriv FROM all EXCEPT public; > > This will be one-time action. It can be done manually in pgadmin or using > some script running once. Automate this with aclexplode[0] to get the privileges for specific grantees. Loop over the result set in a DO block, generate the REVOKE commands, and EXECUTE them. SELECT acl.grantee::regrole, acl.privilege_type FROM pg_class, aclexplode(relacl) acl WHERE oid = 'public.kaspriv'::regclass; > Using > > PostgreSQL 12.2 (Debian 12.2-2.pgdg100+1) on x86_64-pc-linux-gnu, > compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit > > and latest pgAdmin 7.2 [0] https://www.postgresql.org/docs/12/functions-info.html#FUNCTIONS-ACLITEM-FN-TABLE -- Erik
