In my Postgres database, I create a role group
with BYPASSRLS. I assign group
to user archibald
. I expect user
to have BYPASSRLS. However, I find the user cannot bypass the row-level security.
I can work around it by granting BYPASSRLS to archibald directly, but I would like to manage this by group.
Code:
create role group nologin bypassrls;
grant usage on schema public to group;
grant select on all tables in schema public to group;
create user archibald password 'password';
grant group to archibald;
Expected result: archibald
should be able to see all rows in all tables.
Actual result: He sees nothing due to row-level security.
2
Answers
Like all other properties of a role, you cannot inherit
BYPASSRLS
. Only privileges and ownership on objects and membership in roles are inherited.Strictly speaking,
BYPASSRLS
is a role attribute and those are not inheritable. That being said, aGRANT
establishing group membership by default comeswith SET option
which allows the direct member to impersonate/switch to the group role and make use of the group role’s attributes:As user
postgres
, you can see a=2 listed because ofbypassrls
. Otherwise the policy would hide it.User
archibald
won’t seea=2
becausebypassrls
wasn’t inherited fromgroup_
they belong to:archibald
can impersonate thegroup_
role and use theirbypassrls
to seea=2
fiddle