On Wed, Jul 10, 2024 at 05:13:58PM +0900, Fujii Masao wrote: > However, unlike the database owner, pg_maintain by definition should > have *all* the rights needed for maintenance tasks, including MAINTAIN > rights on tables and USAGE rights on schemas? ISTM that both > pg_read_all_data and pg_write_all_data roles are defined similarly, > with USAGE rights on all schemas. So, granting USAGE rights to > pg_maintain, but not the database owner, doesn't seem so odd to me.
It doesn't seem so odd to me, either. But there are other things that could prevent a role with privileges of pg_maintain from being able to VACUUM a table. For example, the role might not have LOGIN, or it might not have CONNECT on the database. I think the argument for giving pg_maintain roles implicit USAGE on all schemas for only maintenance commands is that we already do that in some cases (e.g., a database-wide VACUUM). > I'd like hear more opinions about this. +1 -- nathan
