* David G Johnston (david.g.johns...@gmail.com) wrote: > I'd rather there be better, more user friendly, SQL-based APIs to the > permissions system that would facilitate performing and reviewing grants.
This would be *really* nice, I agree. I've heard tale of people writing functions that go through the catalog based on a given user and spit back everything that they have permissions to. Would be really nice if we had those kinds of functions built-in. > If something like IMPERSONATE was added I would strongly suggest a > corresponding "[NO]IMPERSONATE" for CREATE USER so that the admin can make > specific roles unimpersonable - and also make SUPERUSER roles unimpersonable > by rule. I agree that this would be necessary.. but strikes me as less of a complete solution than what the existing pg_auth_members approach grants you. Perhaps a better idea would be to simply make the bouncer unnecessary by having a in-PG connection pooler type of system. That's been discussed previously and shot down but it's still one of those things that's on my wish-list for PG. Thanks, Stephen
Description: Digital signature