Ron <ronljohnsonjr@xxxxxxxxx> writes: > On 11/4/23 16:53, Peter J. Holzer wrote: >> This doesn't answer the question why ALTER TABLE privilege would be >> required. > I bet the Good Idea Fairy whispered something into the CISO's ear. Yeah. This is blatantly obviously the brainchild of some person with no actual experience in fulfilling the roles they want to circumscribe. Having said that, maybe: * Role foo_owner actually owns the tables, but revokes its own DML privileges (select etc) * Role foo_app is granted foo_owner so it can do DDL on the tables, and is also granted DML privileges on the tables * Role foo_dba is granted foo_owner but not DML privileges. This is, of course, trivially breakable by any foo_dba who doesn't want to play by the rules, but as long as you log DDL there will at least be log traces that she did so. regards, tom lane
