Using this command, it is possible to either add privileges or restrict
- one's privileges. If the session user role has the INHERIT
- attribute, then it automatically has all the privileges of every role that
- it could SET ROLE to; in this case SET ROLE
- effectively drops all the privileges assigned directly to the session user
- and to the other roles it is a member of, leaving only the privileges
- available to the named role. On the other hand, if the session user role
- has the NOINHERIT attribute, SET ROLE drops the
- privileges assigned directly to the session user and instead acquires the
- privileges available to the named role.
+ one's privileges. If the session user role has been granted memberships
+ WITH INHERIT TRUE, it automatically has all the
+ privileges of every such role. In this case, SET ROLE
+ effectively drops all the privileges except for those which the target role
+ directly possesses or inherits. On the other hand, if the session user role
+ has been granted memberships WITH INHERIT FALSE, the
+ privileges of the granted roles can't be accessed by default. However, the
+ session user can use SET ROLE to drop the privileges
+ assigned directly to the session user and instead acquire the privileges
+ available to the named role.
inheritance of privilegesroleprivilege to inherit
- A role is given permission to inherit the privileges of roles it is a
- member of, by default. However, to create a role without the permission,
- use CREATE ROLE name NOINHERIT.
+ A role inherits the privileges of roles it is a member of, by default.
+ However, to create a role which does not inherit privileges by
+ default, use CREATE ROLE name
+ NOINHERIT. Alternatively, inheritance can be overriden
+ for individual grants by using WITH INHERIT TRUE
+ or WITH INHERIT FALSE.
database session has access to the privileges of the group role rather
than the original login role, and any database objects created are
considered owned by the group role not the login role. Second, member
- roles that have the INHERIT attribute automatically have use
- of the privileges of roles of which they are members, including any
+ roles that have the been granted membership with the
+ INHERIT option automatically have use
+ of the privileges of those roles, including any
privileges inherited by those roles.
As an example, suppose we have done:
-CREATE ROLE joe LOGIN INHERIT;
-CREATE ROLE admin NOINHERIT;
-CREATE ROLE wheel NOINHERIT;
-GRANT admin TO joe;
-GRANT wheel TO admin;
+CREATE ROLE joe LOGIN;
+CREATE ROLE admin;
+CREATE ROLE wheel;
+GRANT admin TO joe WITH INHERIT TRUE;
+GRANT wheel TO admin WITH INHERIT FALSE;
Immediately after connecting as role joe, a database
session will have use of privileges granted directly to joe
inherits
admin's privileges. However, privileges
granted to wheel are not available, because even though
joe is indirectly a member of wheel, the
- membership is via admin which has the NOINHERIT
- attribute. After:
+ membership is via admin which was granted using
+ WITH INHERIT FALSE. After:
SET ROLE admin;
projects / postgresql.git / commitdiff