Objective: Customize Role objects based on specific functions. These tailored Roles come with predefined permission sets. The user list for each customized Role can be modified using the GRANT and REVOKE commands, simplifying the complex permission management process.
Note: Implement the simple permission model immediately after creating the database. If users or other data already exist, ensure the permissions associated with those objects are properly managed.
CREATE ROLE database_admin WITH createrole;CREATE ROLE database_devops;CREATE ROLE database_writer;CREATE ROLE database_reader;GRANT pg_read_all_data TO database_reader;GRANT pg_write_all_data TO database_writer;GRANT database_reader TO database_devops;GRANT database_writer TO database_devops;GRANT pg_monitor TO database_devops;-- Only admin has permission to manage rolesGRANT database_writer TO database_admin WITH admin option;GRANT database_reader TO database_admin WITH admin option;GRANT database_devops TO database_admin WITH admin option;-- Set default privilege of public schemaGRANT all ON schema public TO database_admin WITH GRANT option;GRANT all ON schema public TO database_devops;-- Admin or devops should have permission to create schemasGRANT all ON database '<current_database>' TO database_admin WITH GRANT option;GRANT all ON database '<current_database>' TO database_devops WITH GRANT option;
SELECT CAST(a.rolname AS information_schema.sql_identifier) AS grantee, CAST(b.rolname AS information_schema.sql_identifier) AS role, m.grantor, CAST(CASE WHEN m.admin_option THEN 'YES' ELSE 'NO' END AS information_schema.yes_or_no) AS grantableFROM (SELECT roleid, member, grantor, admin_option FROM pg_auth_members) m JOIN pg_authid a ON (m.member = a.oid) JOIN pg_authid b ON (m.roleid = b.oid);
Execute the following operations for each existing user: (Please replace the user in the command with the intended target user)
-- It is recommended to use the Database Owner user to execute the following command-- database_admin obtains permissions for all schemas, tables, and sequences, and can grant permissions individuallyALTER DEFAULT privileges FOR role "<user>" GRANT all ON schemas TO database_admin;ALTER DEFAULT privileges FOR role "<user>" GRANT all ON tables TO database_admin;ALTER DEFAULT privileges FOR role "<user>" GRANT all ON sequences TO database_admin;-- database_devops obtains permissions for all schemas, tables, and sequences, and can be authorized individuallyALTER DEFAULT privileges FOR role "<user>" GRANT all ON schemas TO database_devops;ALTER DEFAULT privileges FOR role "<user>" GRANT all ON tables TO database_devops;ALTER DEFAULT privileges FOR role "<user>" GRANT all ON sequences TO database_devops;-- database_admin obtains permissions for all schemas, tables, and sequences, and can grant permissions individuallyALTER DEFAULT privileges GRANT all ON schemas TO database_admin;ALTER DEFAULT privileges GRANT all ON tables TO database_admin;ALTER DEFAULT privileges GRANT all ON sequences TO database_admin;-- database_devops obtains permissions for all schemas, tables, and sequences, and can be authorized individuallyALTER DEFAULT privileges GRANT all ON schemas TO database_devops;ALTER DEFAULT privileges GRANT all ON tables TO database_devops;ALTER DEFAULT privileges GRANT all ON sequences TO database_devops;
