In response to Rikard Pavelic <rikard.pavelic@xxxxxxxxxxx>: > Tom Lane wrote: > > No, it's operating as designed. Per the GRANT reference page: > > : Depending on the type of object, the initial default privileges may > > : include granting some privileges to PUBLIC. The default is no public > > : access for tables, schemas, and tablespaces; CONNECT privilege and TEMP > > : table creation privilege for databases; EXECUTE privilege for functions; > > : and USAGE privilege for languages. The object owner may of course revoke > > : these privileges. (For maximum security, issue the REVOKE in the same > > : transaction that creates the object; then there is no window in which > > : another user may use the object.) > > > > You'll need to revoke the default public EXECUTE privilege on any > > functions you don't want to be callable. > > Hmm, so the answer to my question > "How can I assign execute permission to a role for a single function > inside schema." > is I can't? How did you interpret "do it like this" to mean "you can't do it"? REVOKE ALL ON <function name> FROM PUBLIC; > So this basically means that I can't fine tune the permissions through > functions, but I > can through views and tables? > This looks like a bug in design to me ;( Relax. You (somehow) misunderstood Tom. -- Bill Moran http://www.potentialtech.com
