Access rights management is left to the administrator by way of self-written SQL commands, as is the creation of database users.
This page gives some basic guidelines on how to manage a database with multiple users in a typical scenario:
users
table. It is not mandatory, but skipping this step will prevent the user interface to trace who does what.
Here is a skeleton of an SQL script that grants all rights to the mailusers
group. The administrator can use this as a starting point and remove specific access rights to particular groups of users.
-- Tables GRANT SELECT,INSERT,UPDATE,DELETE ON addresses, attachment_contents, attachments, body, config, files, filter_action, filter_expr, filter_log, forward_addresses, global_notepad, header, identities, import_mbox, import_message, inverted_word_index, jobs_queue, mail, mail_addresses, mail_status, mail_tags, mail_template, mailing_data, mailing_definition, mailing_run, mime_types, non_indexable_words, notes, programs, raw_mail, runtime_info, tags, tags_words, user_queries, users, words TO mailusers; -- Sequences GRANT SELECT,UPDATE ON seq_addr_id, seq_mail_id, seq_tag_id, seq_thread_id,seq_attachment_id,import_mbox_import_id_seq, mailing_data_mailing_data_id_seq, mailing_definition_mailing_id_seq TO mailusers;
Special care must be taken with functions since the execute privilege is granted to PUBLIC (every user) by default. In order to restrict the rights to use functions, the administrator should first revoke that privilege:
REVOKE EXECUTE ON FUNCTION trash_msg(INT, INT), trash_msg_set(INT[], INT), untrash_msg(INT, INT), delete_msg(INT), delete_msg_set(INT[]) FROM public;
It is especially interesting to remove the right to call delete_msg() on all or specific users to prevent accidental deletion of messages when the local policy it to never delete any mail.