On Wed, Feb 22, 2017 at 2:18 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I think this is really *not* a good idea. The entire permissions model
> is built around granting permissions to roles, by other roles.
My bad. I shouldn't have proposed the idea on how to achieve/implement the idea.
I should instead just have presented the idea without suggesting to
use the permissions model.
Do you think it's a bad idea in general? Or is it just the idea of
using the permissions model for the purpose that is a bad idea?
If it's a good idea apart from that, then maybe we can figure out some other
more feasible way to control what functions can call what other functions?
> It's not that hard, if you have needs like this, to make an owning role
> for each such function. You might end up with a lot of single-purpose
> roles, but they could be grouped under one or a few group roles for most
> purposes beyond the individual tailored grants.
I think that approach is not very user-friendly, but maybe it can be
made more convenient if adding syntactic sugar to allow doing it all
in a single command?
Or maybe there is some other way to implement it without the permissions model.