* Jim Nasby (decibel@decibel.org) wrote:
> On Jan 23, 2007, at 12:07 PM, Stephen Frost wrote:
> >Hmm. While I agree with the sentiment, Unix does provide for setgid
> >such that objects inherit a specific group on creation. Using
> >roles we
> >don't get that distinction so I don't think comparing it to Unix is a
> >slam-dunk. There do need to be limitations here though, certainly. A
> >couple options, in order of my preference:
>
> Is there a use-case for per-schema default ownership? I can't really
> think of one...

Sure, all the objects in a given schema should be owned by a role which
all the admins of that schema are members of. I really see this as a
sensible step from ACLs since ownership implies additional permissions
(which can't otherwise be granted, otherwise it wouldn't matter so much).

We do this quite a bit and it's annoying when someone forgets to change
the ownership of something they created. Since we do this largely on a
per-schmea basis (and different schemas have different admin groups,
which can overlap) getting people to remember to 'set role' doesn't seem
likely to practically improve things much. I've considered writing a
cron job to periodically fix all the ownerships and permissions but then
having actual exceptions becomes a pain.

Thanks,

Stephen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFt2oyrzgMPqB3kigRAuASAJ9Qi7nt7jdFGpfbKDzjcS uAXLckHACeITt7
7606RRZToKCYVFMHqqCKsNE=
=yHzI
-----END PGP SIGNATURE-----