On Wed, 2022-11-02 at 19:29 +0000, David Burns wrote: > To Whom It May Concern;
It concerns me, because I often see questions from people who misunderstand this. > Some additional clarity in the versions 14/15 documentation would be helpful > specifically > surrounding the "target_role" clause for the ALTER DEFAULT PRIVILEGES command. > To the uninitiated, the current description seems vague. Maybe something > like the following would help: > > target_role > The name of an existing role of which the current role is a member. > Default privileges are only applied to objects created by the targeted > role/user (FOR ROLE target_role). > If the FOR ROLE clause is omitted, the targeted user defaults to the > current user executing the > ALTER DEFAULT PRIVILEGES command. +1 I like the wording, except that I would replace "targeted role/user (FOR ROLE target_role)" with "target role" for added clarity. > The result can be seen using the following query: > > select table_catalog as database > ,table_schema > ,table_name > ,privilege_type > ,grantee > ,'revoke '||privilege_type||' on '||table_schema||'.'||table_name||' > from '||grantee||';' as revoke_stmt > from information_schema.table_privileges > where table_schema = 'my_schema' > and table_name = 'my_table' > order by 1,2,3,5,4; I am not so happy with that query; I thinks that is going too far. Perhaps we can say that the "psql" command "\ddp" can be used to view default privileges. > Also, additional explanation about the differences between global defaults > versus > schema-level defaults, and how to identify them, would be helpful. The examples already cover that in some detail. > Additional explanation about exactly what is happening would help to put this > command into perspective. > On successful execution with the correct parameter values, and using both the > FOR ROLE and > IN SCHEMA clauses, I also received privilege grants directed to the user > executing the > ALTER DEFAULT PRIVILEGES command. This was in addition to the expected > privileges specified in the command. > I'm not sure why this occurred or how to eliminate it, in the interest of > establishing "least privilege" permissions. ALTER DEFAULT PRIVILEGES does nothing like that... Yours, Laurenz Albe
