Re: Permissions not removed when group dropped

On Fri, May 13, 2005 at 03:43:54PM -0500, Harris, Richard wrote:

Hi,

> I'm using PostgreSQL 8.0. I created a group called grpA and granted grpA
> 'SELECT' permission on view viewA. When I dropped grpA and created group
> grpB, group grpB 'automatically' has SELECT permission to viewA. After
> dropping a group with permission to a view, I see that the permission
> stored in the relacl field fo pg_class is changed from the group name to
> the sysid of the dropped group. When a new group is created, it gets a
> sysid that is one greater than the largest of the sysid (e.g., the sysid
> of the last group dropped).  Thus the new group may 'inherit' the
> permissions of a dropped group.
>
> I have not found this behavior documented any where. Is this behavior
> intended? What do I need to do so that when I drop a group all the
> permissions of the group are also 'dropped' (i.e., cleared from the
> relacl field)?

This is a known limitation.  You have to remove the group from all ACLs
before dropping the group; OTOH you can specify a SYSID when creating a
group.

We are working on it, and hopefully in 8.1 you will be told where the
user/group is referenced if you try to drop it.  Automatically deleting
the references from all ACLs has not been discussed but it's a possible
outcome of the implementation.

--
Alvaro Herrera (<alvherre[a]surnet.cl>)
"And as an added bonus, now my computer goes to the toilet for me, leaving me
free to spend time on more useful activities! yay slug codefests!" (C. Parker)