Hans-Jürgen Schönig writes:

> Imagine having groups having rights on dozens of tables. If these groups
> were assigned to a role it would be an easy task to block numerous
> groups from executing SQL at once. Currently a user has all rights of
> all groups he belongs to so it is damn hard to say that 1000 users
> should not be allowed to do anything for a period of time (because of
> maintenance or so). If all those users (but the superuser) had a certain
> role, the role could be modified instead of those 1000 users/groups (eg.
> REVOKE login, execute_sql FROM some_role).

I think you can do that with groups: Create a number of groups, say
users1, users2, etc., and then, at the predermined hour, you do:

REVOKE privilege FROM users1;
GRANT privilege TO users2;

This might be helped if groups could contain other groups, so that
"privilege" could be a group/role name, to ease administration, but that
does not create any distinction between the concepts role and group.

Peter Eisentraut   [EMAIL PROTECTED]

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Reply via email to