From 7bc18694aca92b13a39c88203da2868a5fb8d1a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Els=C5=91=20Andr=C3=A1s?= <elsoa@invitech.hu>
Date: Wed, 10 Dec 2025 18:00:36 +0100
Subject: [PATCH] Grant schema privileges

---
 tasks/users_privileges.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/tasks/users_privileges.yml b/tasks/users_privileges.yml
index a3e1b1ab..8265942b 100644
--- a/tasks/users_privileges.yml
+++ b/tasks/users_privileges.yml
@@ -20,5 +20,24 @@
     login_port: "{{ postgresql_port }}"
   become: yes
   become_user: "{{ postgresql_admin_user }}"
-  loop: "{{ postgresql_user_privileges | default([]) }}"
+  loop: "{{ postgresql_user_privileges | default([]) | rejectattr('schema', 'defined') }}"
+  when: (postgresql_user_privileges | default([])) | length > 0
+
+# Grant schema-level privileges
+- name: PostgreSQL | Grant schema privileges
+  community.postgresql.postgresql_privs:
+    type: schema
+    objs: "{{ item.schema }}"
+    login_db: "{{ item.db }}"               # database to grant on
+    roles: "{{ item.name }}"          # role receiving privileges
+    privs: "{{ item.privs | default('ALL') }}"
+    grant_option: "{{ item.grant_option | default(omit) }}"
+    state: present
+    login_user: "{{ postgresql_admin_user }}"
+    login_password: "{{ postgresql_admin_password | default(omit) }}"
+    login_host: "{{ item.host | default(omit) }}"
+    login_port: "{{ postgresql_port }}"
+  become: yes
+  become_user: "{{ postgresql_admin_user }}"
+  loop: "{{ postgresql_user_privileges | default([]) | selectattr('schema', 'defined') }}"
   when: (postgresql_user_privileges | default([])) | length > 0