Re: Allow GRANT/REVOKE permissions to be applied to all schema

Josh Berkus <josh@agliodbs.com> writes:
> The problem with this approach is it leaves us with no way to REVOKE 
> permissions on a specific table from a user who has permissions on the 
> SCHEMA.  Our permissions model is completely additive, so if you did:

Why is that a problem?  The complaint seems about analogous to saying
we should not have groups because you can't REVOKE rights from an
individual user if he has them via a group membership.

> And overall, I'd think it would make the feature a *lot* less useful; 
> basically it would encourage a lot of DBAs to organize their schemas by 
> security level, which is not really what schemas are for.

Why would this mechanism encourage that more than the other one would?
        regards, tom lane