I was checking pg_roles.acl_default to see if my role-level ALTER DEFAULT PRIVILEGES had been effective. But I see the same content both before and after the ALTEr.
You mention that this needs to be done in each database. Is there a database-level version of pg_roles.acl_default that I should be checking instead?
Thanks,
Mike Tefft
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Friday, July 5, 2024 10:51 AM
To: Tefft, Michael J <Michael.J.Tefft@snapon.com>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Removing the default grant of EXECUTE on functions/procedures to PUBLIC
"Tefft, Michael J" <Michael. J. Tefft@ snapon. com> writes: > I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC. >> From my reading, there is no straightforward way to do this. For example,
"Tefft, Michael J" <Michael.J.Tefft@snapon.com> writes:
> I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC.
>> From my reading, there is no straightforward way to do this. For example,
> ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
> Does not apply this across the entire cluster (or database) but only applies to the role who issued it (and objects yet to be created by that role) .
> So I am arriving at the conclusion that I need to alter the default privileges for every existing role (which I expected), and ensure that default privileges are altered for every new role that is created going forward.
> Have I analyzed this correctly?
You'll also need to repeat the ALTERs in each database of your
installation.
regards, tom lane