7

I've tried using the documentation here but doesn't seem to help. If you can please give me an example.

revoke select (column1, column2) on table from specific_user

hasn't worked.

Access privileges
 Schema | Name  | Type  |     Access privileges     | Column privileges | Policies 
--------+-------+-------+---------------------------+-------------------+----------
 public | users | table | himanshu=arwdDxt/himanshu+|                   | 
        |       |       | reports_user=r/himanshu   |                   | 
(1 row)
Improve this question
2
  • Please edit the question to include the output of \z table run in psql. Commented Jan 18, 2018 at 11:23
  • I first grant users select to reports_user, then I revoke column1 and column2 with the revoke syntac above. Despite doing that I can still access column1 and column 2 from reports user. Commented Jan 18, 2018 at 12:07

2 Answers 2

Reset to default
22

The problem is that privileges in SQL are additive, and column privileges and table privileges are different.

Revoking a privilege that you didn't grant before has no effect, and granting SELECT on a table is different from granting SELECT on all columns.

You should revoke the SELECT privilege on the table and grant SELECT on all columns except the one where you want to deny access:

REVOKE SELECT ON "table" FROM specific_user;
GRANT SELECT (<all columns except "column1" and "column2">)
   ON "table" TO specific_user;

Check the result with \z "table".

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Should I enter all column names in (<all columns except "column1" and "column2">) ? This gives a syntax error at "<" . I have over 60 columns.
Then enter 58 columns.
3

@Laurenz's answers is correct. I was however a bit confused with the syntax. Just to clarify:

I have table public.values:

+---------+---------+---------+
|    A    |    B    |    C    |
+---------+---------+---------+
| Value 1 | Value 2 | Value 3 |
+---------+---------+---------+

If user peter is supposed to see only the columns A and B, the following commands are needed:

REVOKE SELECT ON public.values FROM peter;
GRANT SELECT ("A", "B") ON public.values TO peter;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.