CODEWITHSUNDEEP
postgresqlrdsdatabase-permissionspostgresql-9.6
Hamid Mahmood
Hamid Mahmood

Reputation: 23

Restrict create table privilege to newly created users in RDS PostgreSQL 9.6

I am facing an issue while creating a readonly users in RDS PostgreSQL 9.6. I am executing the following SQL commands:

---- ###### CREATE ROLE ################
CREATE ROLE readonlyrole_dev;

-- Grant access to existing tables
GRANT USAGE ON SCHEMA public TO readonlyrole_dev;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonlyrole_dev;

-- set the privileges that will be applied to objects created in the future.
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonlyrole_dev;



CREATE USER readonly_dev WITH PASSWORD 'welcome1';
GRANT readonlyrole_dev TO readonly_dev;

When I login with the readonly_dev user, it has privilege to create the new tables by default but I don't want to do that. I want to keep readonly_dev only a read only user.

Note: To revoke the access from the user I am executing

REVOKE CREATE ON SCHEMA public FROM PUBLIC;

which revokes create objects privilege to all old users as well. I only want to revoke create privilege from newly created user.

How can I do that?

Upvotes: 2

Views: 2005

Answers (1)

Laurenz Albe
Laurenz Albe

Reputation: 246033

You cannot do that, and it is not necessary either.

Just deny the user the CREATE permission on all schemas. You should use user groups for that - put all users who should have the privilege to create tables in a group that has the required privilege on the schema and revoke CREATE from PUBLIC.

If you insist that you must have this, try creating an event trigger that throws an exception whenever a certain user tries to create a table.

Upvotes: 1

Related Questions