On 07.03.22 19:18, Robert Haas wrote:
That all said, permissions SHOULD BE strictly additive. If boss doesn't want
to be a member of pg_read_all_files allowing them to revoke themself from that
role seems like it should be acceptable. If there is fear in allowing someone
to revoke (not add) themselves as a member of a different role that suggests we
have a design issue in another feature of the system. Today, they neither
grant nor revoke, and the self-revocation doesn't seem that important to add.
I disagree with this on principle, and I also think that's not how it
works today. On the general principle, I do not see a compelling
reason why we should have two systems for maintaining groups of users,
one of which is used for additive things and one of which is used for
subtractive things.
Do we have subtractive permissions today?
