Re: [HACKERS] Monitoring roles patch

On Fri, Feb 24, 2017 at 5:14 AM, Dave Page <dpage@pgadmin.org> wrote:
> - Adds a default role called pg_monitor
> - Gives members of the pg_monitor role full access to:
>     pg_ls_logdir() and pg_ls_waldir()
>     pg_stat_* views and functions
>     pg_tablespace_size() and pg_database_size()
>     Contrib modules:
>         pg_buffercache,
>         pg_freespacemap,
>         pgrowlocks,
>         pg_stat_statements,
>         pgstattuple and
>         pg_visibility (but NOT pg_truncate_visibility_map() )
> - Adds a default role called pg_read_all_gucs
> - Allows members of pg_read_all_gucs to, well, read all GUCs
> - Grants pg_read_all_gucs to pg_monitor

I like the pg_read_all_gucs role, which I agree with Peter should be
called pg_read_all_settings.  I'd be inclined to skip the rest of
this.  If an individual user wants to grant that bundle of privileges
to a role, they can do it with or without pg_monitor.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company