On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
> Hi,
>
> I noticed that we don't document that you need to own the object being
> modified by SECURITY LABEL.
>
> Page: https://www.postgresql.org/docs/current/sql-security-label.html
>
> I've attached a patch that would have answered that question (for me)
> without diving into the code.
> --- a/doc/src/sgml/ref/security_label.sgml
> +++ b/doc/src/sgml/ref/security_label.sgml
> @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON
> based on object labels, rather than traditional discretionary access control
> (DAC) concepts such as users and groups.
> </para>
> +
> + <para>
> + You must own the database object to use the <command>SECURITY LABEL</command>.
> + </para>
> </refsect1>
>
> <refsect1>
Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.
In general, +1 for documenting that.
Yours,
Laurenz Albe
