On 09.03.22 14:02, Robert Haas wrote:
> On Wed, Mar 9, 2022 at 7:55 AM Peter Eisentraut
> <peter.eisentraut@enterprisedb.com> wrote:
>> Do we have subtractive permissions today?
>
> Not in the GRANT/REVOKE sense, I think, but you can put a user in a
> group and then mention that group in pg_hba.conf. And that line might
> be "reject" or whatever.
Well, you can always build an external system that looks at roles and
does nonsensical things with it. But the privilege system itself seems
to be additive only. Personally, I agree with the argument that there
should not be any subtractive permissions. The mental model where
permissions are sort of keys to doors or boxes just doesn't work for that.