add user creation and permissions pattern

human-script.md

@@ -436,6 +436,7 @@ Follow this to deploy the entire data infra.
   - A user `dbt_user`, with `dwh_builder` role.
   - A user `powerbi_user`, with `consumer` role.
   - A user `airbyte user`, with permission to create new schemas.
+  - A user `billingdb_reader`, with permission to read some tables from the reporting schema.
   - *Note: replace the password fields with serious passwords and note them down.*
   - *Note: replace the name of the admin user*
 
@@ -464,6 +465,8 @@ Follow this to deploy the entire data infra.
   CREATE ROLE powerbi_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
   GRANT consumer to powerbi_user;
 
+  CREATE ROLE billingdb_reader LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
+
   CREATE ROLE modeler INHERIT; 
   -- You might want to create a first personal user with modeler role here
 
@@ -514,6 +517,17 @@ Follow this to deploy the entire data infra.
     ALTER DEFAULT PRIVILEGES IN SCHEMA sync_<some-new-source> GRANT SELECT ON TABLES TO modeler;
     ```
   
+  - This script also doesn't specify exactly which tables should the `billingdb_reader` read from, since providing full access to the entire reporting schema would be excessive. You can specify which tables should be readable by the user like this:
+
+  ```sql
+  -- Login as dbt_user
+
+  GRANT USAGE ON SCHEMA reporting TO billingdb_reader;
+  GRANT SELECT ON TABLE reporting.<some_table> TO billingdb_reader;
+  GRANT SELECT ON TABLE reporting. <some_other_table> TO billingdb_reader;
+  ...
+  ```
+
 ## 050. Web Gateway
 
 We will deploy a dedicated VM to act as a web server for internal services.