This content has been marked as final. Show 4 replies
why you don't create another role?
How is that going to block the privs granted in role_a and inhereted by role_b?
I believe the suggestion would be that rather than revoking privileges from role_b, you should create a new role role_c and then grant privileges on tables a & c to role c.
You cannot revoke privileges from a role that are not granted directly to the role. So you can't have role_b have a subset of the privileges granted to role_a by granting the role and revoking individual privileges. You would need to create a new role (role_c) that has the subset of privileges you want to grant and grant that new role_c to role_b. You could also, of course, just grant role_b privileges on tables a & c directly rather than granting it role_a.
Okay I'll need to assign the table privs to each individual role and not rely on the lower roles privs.
I was building layers of roles and it was working until I came across a table where the third level role didn't need the privs from the level 2 role.
Thanks for the help.