Tom,
> From what I recall of prior discussions, there is rough consensus that
> the two types of facilities you mentioned (setting up default ACLs to be
> applied at creation of objects created later, and providing a way to
> change multiple objects' permissions with one GRANT) are desirable,
> though there is plenty of argument about the details. Neither of these
> result in creating any new sources of permissions --- a given object's
> ACL is still the whole truth.
yeah, that's why I've been working on that approach. It doesn't
simplify things as much as some DBAs might want, but it's the most
side-effect-free approach.
--
Josh Berkus
PostgreSQL Experts Inc.
www.pgexperts.com