Greetings, * Isaac Morland (isaac.morl...@gmail.com) wrote: > On Fri, 28 Aug 2020 at 08:43, Stephen Frost <sfr...@snowman.net> wrote: > > This would simply REVOKE that role from the user. Privileges > > independently GRANT'd directly to the user wouldn't be affected. Nor > > would other role membership. > > > > > What privileges would the user be left with? Would it be possible to end > > up in the same privilege only with a GRANT command? > > What about: > > REVOKE SELECT ON [table] FROM pg_read_all_data;
Wouldn't have any effect, and I think that's correct. > I guess what I’m really asking is whether pg_read_all_data is automatically > granted SELECT on all newly-created relations, or if the permission > checking system always returns TRUE when asked if pg_read_all_data can > select from a relation? I’m guessing it’s the latter so that it would be > ineffective to revoke select privilege as I think this is more useful, but > I’d like to be sure and the documentation should be explicit on this point. Yes, it's the latter. I'm not really sure about the documentation change you're contemplating- have a specific suggestion? Thanks, Stephen
signature.asc
Description: PGP signature
