To add to the idea: shouldn't the whole concept of granting permissions be dropped from the SF when using Indicium? The Pool User is db_owner as per the Thinkwise documentation, so I don't see a reason to explicitly grant additional rights as part of deployments.

• Current behavior is unnecessarily risky from a least-privileged access perspective
• Current behavior of granting additional permissions to public is not in line with security best practice recommendations
• Current behavior basically makes it impossible to grant read-only rights to a Thinkwise database

I understand that the current behavior might still be useful for clients who don't use Indicium as service layer (yet), but could we in the meantime please have a way to turn this behavior OFF by Default (i.e. introduce a setting in the SF ASAP)?

FYI: we fixed this ourselves by adding a MANUAL stored procedure.

A new tag has been introduced to modify whether a grant .. on .. public will be added at the end of procedures such as creating tables or stored procedures. This line affects database authorization for functionality and upgrades.

When you add the tag NO_GRANT_TO_PUBLIC to a specific project, this line will no longer be added to any procedure within the context of the project. Note that you need to generate the project's definition after adding the tag.

You can add the tag to the Software Factory's Advanced menu > Projects > tab Project tags. If added here, it will be applied to your entire project.