From eb251f000074ee10eff5cbd30ca9ee038a01b6f3 Mon Sep 17 00:00:00 2001 From: Laurenz Albe Date: Mon, 6 Nov 2023 21:44:23 +0100 Subject: [PATCH] Improve ALTER DEFAULT PRIVILEGES documentation Rewrite the documentation to emphasize two aspects that were previously missing, which frequently confused users: - you cannot inherit altered default privileges - you cannot alter the default privileges for any creating role by omitting FOR ROLE Author: Bruce Momjian, Laurenz Albe Reviewed-by: Michael Banck Discussion: https://postgr.es/m/LV2PR12MB5725F7C1B8EB2FC38829F276E7399%40LV2PR12MB5725.namprd12.prod.outlook.com --- .../sgml/ref/alter_default_privileges.sgml | 52 ++++++++++++------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml index f1d54f5aa3..7fab707a0d 100644 --- a/doc/src/sgml/ref/alter_default_privileges.sgml +++ b/doc/src/sgml/ref/alter_default_privileges.sgml @@ -90,34 +90,47 @@ REVOKE [ GRANT OPTION FOR ] ALTER DEFAULT PRIVILEGES allows you to set the privileges that will be applied to objects created in the future. (It does not - affect privileges assigned to already-existing objects.) Currently, - only the privileges for schemas, tables (including views and foreign - tables), sequences, functions, and types (including domains) can be - altered. For this command, functions include aggregates and procedures. - The words FUNCTIONS and ROUTINES are - equivalent in this command. (ROUTINES is preferred - going forward as the standard term for functions and procedures taken - together. In earlier PostgreSQL releases, only the - word FUNCTIONS was allowed. It is not possible to set - default privileges for functions and procedures separately.) - - - - You can change default privileges only for objects that will be created by - yourself or by roles that you are a member of. The privileges can be set - globally (i.e., for all objects created in the current database), - or just for objects created in specified schemas. + affect privileges assigned to already-existing objects.) Privileges can be + set globally (i.e., for all objects created in the current database), or + just for objects created in specified schemas. As explained in , the default privileges for any object type normally grant all grantable permissions to the object owner, and may grant some privileges to PUBLIC as well. However, this behavior can be changed by altering the global default privileges with ALTER DEFAULT PRIVILEGES. + + As a non-superuser, you can change default privileges only on objects created + by yourself or by roles that you are a member of. However, you don't inherit + altered default privileges from roles you are a member of; objects you create + will receive the default privileges for your current role. + + + + There is no way to change the default privileges for objects created by + arbitrary roles. You have run ALTER DEFAULT PRIVILEGES + for any role that can create objects whose default privileges should be + modified. + + + + Currently, + only the privileges for schemas, tables (including views and foreign + tables), sequences, functions, and types (including domains) can be + altered. For this command, functions include aggregates and procedures. + The words FUNCTIONS and ROUTINES are + equivalent in this command. (ROUTINES is preferred + going forward as the standard term for functions and procedures taken + together. In earlier PostgreSQL releases, only the + word FUNCTIONS was allowed. It is not possible to set + default privileges for functions and procedures separately.) + + Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type. @@ -136,8 +149,9 @@ REVOKE [ GRANT OPTION FOR ] target_role - The name of an existing role of which the current role is a member. - If FOR ROLE is omitted, the current role is assumed. + Default privileges are changed for objects created by the + target_role, or the current + role if unspecified. -- 2.41.0