Re: Default permissisons from schemas

* Jim Nasby (decibel@decibel.org) wrote:
> On Jan 23, 2007, at 12:07 PM, Stephen Frost wrote:
> >Hmm.  While I agree with the sentiment, Unix does provide for setgid
> >such that objects inherit a specific group on creation.  Using
> >roles we
> >don't get that distinction so I don't think comparing it to Unix is a
> >slam-dunk.  There do need to be limitations here though, certainly.  A
> >couple options, in order of my preference:
>
> Is there a use-case for per-schema default ownership? I can't really
> think of one...

Sure, all the objects in a given schema should be owned by a role which
all the admins of that schema are members of.  I really see this as a
sensible step from ACLs since ownership implies additional permissions
(which can't otherwise be granted, otherwise it wouldn't matter so much).

We do this quite a bit and it's annoying when someone forgets to change
the ownership of something they created.  Since we do this largely on a
per-schmea basis (and different schemas have different admin groups,
which can overlap) getting people to remember to 'set role' doesn't seem
likely to practically improve things much.  I've considered writing a
cron job to periodically fix all the ownerships and permissions but then
having actual exceptions becomes a pain.
Thanks,
    Stephen