Re: Separate DDL and SQL users

Rob Emery schrieb am 11.03.2016 um 12:18:
> So we're looking at automating our migrations against PG for the
> developers so that it's simple enough for them and no maintenance for
> me. I'm struggling to find a role/permissions structure that works;
> we've come from SQL Server so we're used to having DBRoles.
>
> So I want the re_migration role to be able to create tables,
> sequences etc and grant to other users etc; yet I want the
> live_application role to be able to select,insert,update,delete.
>
> It seems that the only real solution here is to have the db owned by
> re_migration, then in every migration GRANT
> SELECT,INSERT,UPDATE,DELETE to the live_application role?

You can set default privileges for a schema:
http://www.postgresql.org/docs/current/static/sql-alterdefaultprivileges.html

If you do that, every object that is created in the schema is automatically assigned those default privileges.

So you only need to do do once, after you create a new schema, e.g.

as re_migration do:

  create schema dbo;
  grant usage on dbo to life_application;
  alter default privileges in schema dbo grant select,insert,update,delete on tables to live_application;
  alter default privileges in schema dbo grant usage,select,update on sequences to live_application;

Of course the re_migration role needs to have the privileges to create a schema.

Thomas