Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-sql-owner+archive@lists.postgresql.org>)
	id 1tzcNT-004Kj7-Kr
	for pgsql-sql@arkaria.postgresql.org; Tue, 01 Apr 2025 14:14:07 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-sql-owner+archive@lists.postgresql.org>)
	id 1tzcNS-002xAH-4Q
	for pgsql-sql@arkaria.postgresql.org; Tue, 01 Apr 2025 14:14:06 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tzcNR-002xA9-Qs
	for pgsql-sql@lists.postgresql.org; Tue, 01 Apr 2025 14:14:05 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tzcNP-002M8V-2v
	for pgsql-sql@lists.postgresql.org;
	Tue, 01 Apr 2025 14:14:04 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 531EDnWJ346228;
	Tue, 1 Apr 2025 10:13:49 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Ing. Marijo Kristo" <marijo.kristo@icloud.com>
cc: pgsql-sql@lists.postgresql.org
Subject: Re: Revoke Connect Privilege from Database not working
In-reply-to: <6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com>
References: <18873-c148b32c0e501cc0@postgresql.org>
 <6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com>
Comments: In-reply-to "Ing. Marijo Kristo" <marijo.kristo@icloud.com>
	message dated "Mon, 31 Mar 2025 17:26:13 +0200"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <346226.1743516829.1@sss.pgh.pa.us>
Date: Tue, 01 Apr 2025 10:13:49 -0400
Message-ID: <346227.1743516829@sss.pgh.pa.us>
List-Id: <pgsql-sql.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-sql@lists.postgresql.org>
List-Owner: <mailto:pgsql-sql-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-sql>
Archived-At: 
 <https://www.postgresql.org/message-id/346227.1743516829%40sss.pgh.pa.us>
Precedence: bulk

"Ing. Marijo Kristo" <marijo.kristo@icloud.com> writes:
>> Removing the connect privilege with the Postgres Superuser and with the
>> Vault Admin user does not work.
>> postgres=# revoke connect on database "disp_db" from
>> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
>> REVOKE

REVOKE is not being as helpful as it could be here, perhaps:
it is failing to tell you that it's a no-op because there
is no such privilege.  You never granted connect on disp_db
to that user so you can't revoke it either.

The privilege that exists by default, per [1], is that
database connect privileges are granted to PUBLIC (the
pseudo-group of all users).  If that's not what you want,
you have to do

revoke connect on database "disp_db" from public;

and then grant it out again to the users who should have it.

			regards, tom lane

[1] https://www.postgresql.org/docs/current/ddl-priv.html