On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
> Hi,
> 
> I noticed that we don't document that you need to own the object being 
> modified by SECURITY LABEL.
> 
> Page: https://www.postgresql.org/docs/current/sql-security-label.html
> 
> I've attached a patch that would have answered that question (for me) 
> without diving into the code.

> --- a/doc/src/sgml/ref/security_label.sgml
> +++ b/doc/src/sgml/ref/security_label.sgml
> @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable 
> class="parameter">provider</replaceable> ] ON
>     based on object labels, rather than traditional discretionary access 
> control
>     (DAC) concepts such as users and groups.
>    </para>
> +
> +  <para>
> +   You must own the database object to use the <command>SECURITY 
> LABEL</command>.
> +  </para>
>   </refsect1>
>  
>   <refsect1>

Wouldn't it be more accurate to say that you have to be a member of the owning 
role?
But perhaps that would be complicated enough to confuse many users.

In general, +1 for documenting that.

Yours,
Laurenz Albe


Reply via email to