PostgreSQL – Group Permissions Not Inheriting to Table Level

permissionspostgresqlroleSecurity

I am moving to a group role from a lot of individual users and have one table that needs to have permissions SELECT, INSERT only.

Lets say I have:

user1
user2
newgroup

Both of the users are in the group and both users have INHERIT as well as the Group has INHERIT on it.

I have added

GRANT USAGE ON SCHEMA testschema TO newgroup;
GRANT user1 to newgroup;
GRANT user2 to newgroup;

as well as

GRANT SELECT, INSERT ON testschema.testtable TO newgroup;

When I log in as one of the new users, I do not have permission to that table(ex: testschema.testtable)

I look at the PSQL \z and see for that table newgroup has ar permissions.

I am getting permission denied for relation testschema.testtable. I do not want to create more of a mess by individually putting permissions on the table (it works if I do that currently).

Best Answer

The simple test:

postgres=# create schema foo;
CREATE SCHEMA
postgres=# create table foo.t(x int);
CREATE TABLE
postgres=# create role foomaster nosuperuser nologin inherit;
CREATE ROLE
postgres=# create role fooslave password '111' login inherit in role foomaster;
CREATE ROLE
postgres=# grant usage on schema foo to foomaster;
GRANT
postgres=# set role fooslave;
SET
postgres=> select * from foo.t;
ERROR:  permission denied for relation t
postgres=> set role postgres;
SET
postgres=# grant select on foo.t to foomaster;
GRANT
postgres=# set role fooslave;
SET
postgres=> select * from foo.t;
 x 
---
(0 rows)

It seems that you are doing something wrong.

Upd: About newely created table:

postgres=> set role postgres;
SET
postgres=# create table foo.tt(xx int);
CREATE TABLE
postgres=# set role fooslave;
SET
postgres=> select * from foo.tt;
ERROR:  permission denied for relation tt
postgres=> set role postgres;
SET
postgres=# grant select on foo.tt to foomaster;
GRANT
postgres=# set role fooslave;
SET
postgres=> select * from  foo.tt;
 xx 
----
(0 rows)

PPS: Hope that my investigations was helpful at least for somebody.

Related Solutions

When creating views, why do users need direct object permissions if they already have the same permissions via a role

While you may have a lot of users, it would be unusual for them to require their own views. The views should be in one schema (possibly the one owning the tables) and the users should query them by either prefixing the schemaname (eg vwowner.view) or using the

ALTER SESSION SET_CURRENT_SCHEMA=vwowner

Roles are transient. You can do a SET ROLE NONE to turn them all off. You can have multiple sessions for the same account with different roles enabled. That isn't compatible with the way that Oracle handles objects (where they are either valid or they are not; they can't be valid for some sessions and not for others).

Postgresql – Table Permissions Sanity Check: GRANT not working

Ok, so my broader question still stands (and will likely build that out in its own forum post) but for now, I'll answer the immediate problem here.

My GRANT query was syntactically incorrect and that was producing the error.

My query:

GRANT SELECT,INSERT,UPDATE,DELETE ON "schema1.new_table_name" TO "role1";

Should really be:

GRANT SELECT,INSERT,UPDATE,DELETE ON "schema1"."new_table_name" TO "role1";

(I was missing closing Quote marks after the schema name, and opening quote marks before the table name)

Best Answer

Related Solutions

When creating views, why do users need direct object permissions if they already have the same permissions via a role

Postgresql – Table Permissions Sanity Check: GRANT not working

Related Question