Dear Peter, > The functionality of the ACL system is to answer questions like "does > user X have privilege Y on object Z".
ONE OF the functionality, and THE functionality from the backend point of view. As I'm developing slowly a "pg_advisor" schema to check for various consistency issues. For instance, "does all foreign key checks have relevant indexes", things like that. I'm also considering writing views to check for inconsistencies in the granted rights. > It seems that this question can be answered using existing facilities. Sure. But this is a functional interface for answering *one* specific question, what is fine from the backend standpoint. The functions hide queries to the raw data. I'm rather trying to find *all* possible answers to some questions, so typically this would be done with one single large query. For instance, "is there a granted right in the system where the grantor does not have the relevant grant options right?". The has_* interface does not allow to answer to this question, I need to go back to the raw data. As I already said, querying an array of opaque type is difficult. > Additionally we have information schema views that list existing > privileges, and those views are defined using existing facilities. It > appears that your tables mostly duplicate that. Well, that is indeed possible to a partial extent. On one of the first discussion about the advisor stuff, it appeared that it was more interesting to rely on pg_catalog than on information_schema, so I'm looking only at pg_catalog at the time. One argument was that specific informations are only available in pg_catalog. For instance, I need to check for acl about groups, but group is pg-specific and does not appear in information_schema. I hope that my intent is clearer, have a nice day, -- Fabien Coelho - [EMAIL PROTECTED] ---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings