Schema and database level access permissions

[danielrosehill]

Final feature request:

From a usability standpoint, it would be really helpful if admins were able to do any of the following (in order of increasing utility):

1 - Limit users to an individual database (but inherit all permissions within that DB)

2: Limit users to particular schema(s) within one or more databases

3: Inherit role permissions from the databases themselves and map those onto corresponding usernames thereby creating users in Mathesar whose database permissions corresponded to the permissions they hold on the database(s) themselves

[seancolsen]

Thanks for this, @danielrosehill. And I hope this is actually not your "final" feature request 🙂. Please keep these ideas coming — they're very helpful!

Coincidentally we're currently hard at work in redesigning Mathesar's permission system to be much more closely aligned with the functionality natively available in PostgreSQL.

I'll let @pavish say more about this since he's basically spearheading the effort.

For now I'm categorizing this beta milestone since it sounds like we're likely to be heading in a direction that will satisfy these requirements of yours.

I've added the needs: clarification label because my hope is that @danielrosehill and @pavish will discuss this to the point where our rough plan for the new permissions system will be clear and agreeable to @danielrosehill. Assuming we get to that point with this discussion, I would be inclined to potentially close this issue because that permissions work is tracked elsewhere (though not strictly in issues since it's such a large project). Alternatively if our plans seem to fall short of addressing @danielrosehill's needs, then we could leave this issue open and transform it into more specific requirements to potentially be addressed later.

[pavish]

@danielrosehill

Our current permissions system has options to configure both (1) and (2). Please refer to our Users & Access Levels documentation.

We're currently working on revamping the system to make use of postgres roles directly and provide a set of managed roles/templates, which would satisfy all 3 of your points. We expect to have in our beta release.

I'm curious to hear more about your use case: how & why you're using Mathesar, who the regular users are, what problems we're solving, any specific workflows you have, and your preferred way of configuring permissions. This will immensely help us with our product direction and the redesigning of our permission system.