Stop granting direct permissions to tables for reporting

hypothesis · Jul 6, 2023 · 469bdc6 · 469bdc6
1 parent 0b58898
commit 469bdc6
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/lms/data_tasks/report/create_from_scratch/99_grant_permissions/01_grant_schema.jinja2.sql b/lms/data_tasks/report/create_from_scratch/99_grant_permissions/01_grant_schema.jinja2.sql
@@ -1,19 +1,17 @@
 -- The public schema already exists but we need to grant usage to the user we
 -- will map via FDW.
 
+{% for fdw_user in fdw_users %}
+    -- Once this has been run once, it can be removed
+    REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM "{{fdw_user}}";
+{% endfor %}
+
 {% for fdw_user in fdw_users %}
     -- Permissions exist independently of the schema, so dropping the schema
     -- does not revoke permissions. We need to remove the existing permissions
     -- otherwise removing something the list below does not remove the
     -- permission.
-    REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM "{{fdw_user}}";
 
-    GRANT USAGE ON SCHEMA public TO "{{fdw_user}}";
-
-    GRANT SELECT ON public.organization TO "{{fdw_user}}";
-{% endfor %}
-
-{% for fdw_user in fdw_users %}
     REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA report FROM "{{fdw_user}}";
 
     GRANT USAGE ON SCHEMA report TO "{{fdw_user}}";