From 6c3ffd697e2242f5497ea4b40fffc8f6f922ff60 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfrost@snowman.net>
Date: Mon, 5 Apr 2021 13:42:52 -0400
Subject: Add pg_read_all_data and pg_write_all_data roles

A commonly requested use-case is to have a role who can run an
unfettered pg_dump without having to explicitly GRANT that user access
to all tables, schemas, et al, without that role being a superuser.
This address that by adding a "pg_read_all_data" role which implicitly
gives any member of this role SELECT rights on all tables, views and
sequences, and USAGE rights on all schemas.

As there may be cases where it's also useful to have a role who has
write access to all objects, pg_write_all_data is also introduced and
gives users implicit INSERT, UPDATE and DELETE rights on all tables,
views and sequences.

These roles can not be logged into directly but instead should be
GRANT'd to a role which is able to log in.  As noted in the
documentation, if RLS is being used then an administrator may (or may
not) wish to set BYPASSRLS on the login role which these predefined
roles are GRANT'd to.

Reviewed-by: Georgios Kokolatos
Discussion: https://postgr.es/m/20200828003023.GU29590@tamriel.snowman.net
---
 doc/src/sgml/user-manag.sgml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'doc/src')

diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index d171b13236b..fe0bdb75999 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -518,6 +518,24 @@ DROP ROLE doomed_role;
       </row>
      </thead>
      <tbody>
+      <row>
+       <entry>pg_read_all_data</entry>
+       <entry>Read all data (tables, views, sequences), as if having SELECT
+       rights on those objects, and USAGE rights on all schemas, even without
+       having it explicitly.  This role does not have the role attribute
+       <literal>BYPASSRLS</literal> set.  If RLS is being used, an administrator
+       may wish to set <literal>BYPASSRLS</literal> on roles which this role is
+       GRANTed to.</entry>
+      </row>
+      <row>
+       <entry>pg_write_all_data</entry>
+       <entry>Write all data (tables, views, sequences), as if having INSERT,
+       UPDATE, and DELETE rights on those objects, and USAGE rights on all
+       schemas, even without having it explicitly.  This role does not have the
+       role attribute <literal>BYPASSRLS</literal> set.  If RLS is being used,
+       an administrator may wish to set <literal>BYPASSRLS</literal> on roles
+       which this role is GRANTed to.</entry>
+      </row>
       <row>
        <entry>pg_read_all_settings</entry>
        <entry>Read all configuration variables, even those normally visible only to
-- 
cgit v1.2.3