8.2 - The Manager's Orders (Default Privileges)

# 8.2 The Manager's Orders (Default Privileges) ![The Manager's Orders](assets/arch_access_default_privs.png) The biggest headache in Postgres security is the "New Ledger Problem." When someone creates a new table (a new ledger in the Cafe), **they are the owner, and they are the ONLY person who has the key.** Even if you previously granted the waiters `SELECT ON ALL TABLES IN SCHEMA public`, that grant only applied to the tables that existed *at that exact moment*. If the Chef buys a new recipe book tomorrow, the waiters will get a "Permission Denied" error if they try to read it. ## The Standing Order To fix this, you don't grant privileges on the ledger. You give a **Standing Order** to the Elephant known as `ALTER DEFAULT PRIVILEGES`. ```sql ALTER DEFAULT PRIVILEGES FOR ROLE cafe_manager IN SCHEMA public GRANT SELECT ON TABLES TO cafe_waiter; ``` This tells the elephant: *"Listen closely. Every time the `cafe_manager` creates a new ledger in the public room, I want you to immediately cut a 'read' key and hand it to `cafe_waiter`."* ## The Default Privilege Gotcha The most common mistake in Postgres security is misunderstanding the `FOR ROLE` clause. **Default privileges are tied to the CREATOR of the table, not the schema.** If the `postgres` superuser logs in and creates a table, the `cafe_waiter` will **not** get access! Why? Because the elephant checks his notebook and says: *"I only have a standing order to cut keys when the `cafe_manager` creates a table. Nobody told me what to do when `postgres` creates a table!"* ## Reading the Standing Orders Just like table keys are stored in `pg_class`, these Standing Orders are physically stored in the `pg_default_acl` catalog. ```sql SELECT defaclrole::regrole, defaclnamespace::regnamespace, defaclobjtype, defaclacl FROM pg_default_acl; -- Literal Output: -- defaclrole | defaclnamespace | defaclobjtype | defaclacl -- --------------+-----------------+---------------+------------------------------ -- cafe_manager | public | r | {cafe_waiter=r/cafe_manager} ``` * `defaclrole` (`cafe_manager`): The person *creating* the table. * `defaclobjtype` (`r`): The type of object (relation/table). * `defaclacl` (`cafe_waiter=r/cafe_manager`): The key that will be automatically cut. Whenever you get a mysterious "Permission Denied" on a new table, always check `pg_default_acl` and ask yourself: *"Who actually created this table, and do I have a standing order for them?"* --- [[Chapter 8/8.1 - The Name Tags (Roles & Privileges)|← 8.1 - The Name Tags]] | [[Chapter 8/8.0 - The Bouncers and the VIP List|↑ 8.0 - The Bouncers]] | [[Chapter 8/8.3 - The VIP List (RLS & Security Definers)|8.3 - The VIP List →]]