Re: "default deny" for roles

On 08/28/2012 09:09 PM, Craig Ringer wrote:
> On 08/29/2012 01:25 AM, David Fetter wrote:
>> Folks,
>>
>> There are situations where a "default deny" policy is the best fit.
>>
>> To that end, I have a modest proposal:
>>
>>      REVOKE PUBLIC FROM role;
>>
>> Thenceforth, the role in question would only have access to things it
>> was specifically granted.
>
> Wouldn't that render the user utterly unable to do anything until you 
> added a bunch of GRANTs on the system catalogs for that user or a 
> group they're a member of?


No.

Try it and see. You can do a lot without having any access rights at all 
to the catalog tables.

cheers

andrew