On 09.03.22 14:02, Robert Haas wrote:
On Wed, Mar 9, 2022 at 7:55 AM Peter Eisentraut
<peter.eisentr...@enterprisedb.com> wrote:
Do we have subtractive permissions today?
Not in the GRANT/REVOKE sense, I think, but you can put a user in a
group and then mention that group in pg_hba.conf. And that line might
be "reject" or whatever.
Well, you can always build an external system that looks at roles and
does nonsensical things with it. But the privilege system itself seems
to be additive only. Personally, I agree with the argument that there
should not be any subtractive permissions. The mental model where
permissions are sort of keys to doors or boxes just doesn't work for that.
