Josh Berkus <josh@agliodbs.com> writes: > The problem with this approach is it leaves us with no way to REVOKE > permissions on a specific table from a user who has permissions on the > SCHEMA. Our permissions model is completely additive, so if you did:
Why is that a problem? The complaint seems about analogous to saying we should not have groups because you can't REVOKE rights from an individual user if he has them via a group membership. > And overall, I'd think it would make the feature a *lot* less useful; > basically it would encourage a lot of DBAs to organize their schemas by > security level, which is not really what schemas are for. Why would this mechanism encourage that more than the other one would? regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend