Stephen Frost <sfrost@snowman.net> writes:
> This doesn't actually address the entire problem. How about
> schema-level default grants which you want to override with per-role
> default grants? Or the other way around? Is it always only more
> permissive with more defaults? Even when the grantee is the same?
Well, bear in mind that we're *only* going to allow these things
per-role, so as to avoid the problem of translating ACLs to a different
grantor. So the main case that's not being solved is "I'd like to
grant privileges XYZ everywhere except in this schema". I'm willing to
write that off as not being within the scope of a simple mechanism.
regards, tom lane