On Mon, Aug 14, 2023 at 8:20 AM Ron Watkins <rwatki@gmail.com> wrote:
GRANT "RO_Role" to <users>;
GRANT SELECT ON TABLE <tablename> TO "RO_Role";
GRANT EXECUTE ON FUNCTION <functions> TO "RO_ROLE";
On one server, this seems to have limited the users ability to write to tables, but on the other server it didn't work, they can still write to tables.
Then the other server has permissions being granted to those users roles that the first one doesn't. Fix that.
As for the functions, they can still create. Not sure how to prevent this from happening.
Suggestions?
You seem to be missing default privileges for the PUBLIC group - in particular I suspect you are seeing the ability to create stuff on the public schema by PUBLIC. If you revoke that you should be good.
Every role is read-only (in the sense of being unable to modify schema directly) by default, aside from whatever it inherits from PUBLIC and any other default privileges you may have setup. If you are able to do something you shouldn't, you need to figure out where that privilege is coming from and either remove it or remove the membership (you cannot remove membership in PUBLIC).