Reputation: 1127
How to allow certain groups only to create and edit but not delete (drop) tables in PostgreSQL?
I'm building an app using AWS RDS PostgreSQL.
I need to allow one group to use CREATE, INSERT INTO and UPDATE statements, but at the same time not allow them to use DROP TABLE or DROP DATABASE.
Is there a way to do this on the database layer, as I would prefer not to do it on server-side layer? Thank you.
Upvotes: 0
Views: 44
Answers (1)
Reputation: 247235
You can create one privileged user that can do all these things – let's call it creator – and a normal user luser that is used to log into the database.
creator then defines PL/pgSQL functions with SECURITY DEFINER that perform the required CREATE statements (probably using dynamic SQL with an EXECUTE statement).
Then creator runs
REVOKE EXECUTE ON FUNCTION ... FROM PUBLIC;
GRANT EXECUTE ON FUNCTION ... TO luser;
so that luser can execute the functions.
INSERT and UPDATE privileges are granted to luser inside the functions.
Documentation links:
Language PL/pgSQL to write functions in PostgreSQL
Executing dynamic statements in PL/pgSQL
CREATE FUNCTIONSQL sommandPrivileges in PostgreSQL
Upvotes: 1
Related Questions
- How to provide write permission for specific tables in PostgreSQL?
- How can I create a role with privileges to drop tables in PostgreSQL?
- Postgres (Greenplum) disallow user role to create table as themselves
- allow create table for some users, not all
- Postgres - how can I restrict the privilege to create/drop a table?
- Postgresql role with no drop table permision
- revoke create table on a user
- Postgres: Restrict user account/role ability to create database objects
- Locking down Public Group Role in PostgreSQL
- Prevent delete/update for tables by even superadmin/dba?