On Mon, Nov 6, 2023 at 09:44:14AM +0100, Laurenz Albe wrote:
> On Sat, 2023-11-04 at 21:14 -0400, Bruce Momjian wrote:
> > > It is not the role that is modified. Perhaps:
> > >
> > > [...]; if omitted, the current role is used.
> >
> > Sure, attached. Here is the issue I have though, we are really not
> > changing default privileges for objects created in the future, we are
> > changing the role _now_ so future objects will have different default
> > privileges, right? I think wording like the above is kind of odd.
>
> I see what you mean. The alternative is to be precise, at the risk of
> repeating ourselves:
>
> if omitted, default privileges will be changed for objects created by
> the current role.
Okay, I think I have good wording for this. I didn't like the wording
of other roles, so I restructured that in the attached patch too.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
new file mode 100644
index 8a60061..a868779
*** a/doc/src/sgml/ref/alter_default_privileges.sgml
--- b/doc/src/sgml/ref/alter_default_privileges.sgml
*************** REVOKE [ GRANT OPTION FOR ]
*** 90,112 ****
<para>
<command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
that will be applied to objects created in the future. (It does not
! affect privileges assigned to already-existing objects.) Currently,
! only the privileges for schemas, tables (including views and foreign
! tables), sequences, functions, and types (including domains) can be
! altered. For this command, functions include aggregates and procedures.
! The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
! equivalent in this command. (<literal>ROUTINES</literal> is preferred
! going forward as the standard term for functions and procedures taken
! together. In earlier PostgreSQL releases, only the
! word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
! default privileges for functions and procedures separately.)
</para>
<para>
! You can change default privileges only for objects that will be created by
! yourself or by roles that you are a member of. The privileges can be set
! globally (i.e., for all objects created in the current database),
! or just for objects created in specified schemas.
</para>
<para>
--- 90,113 ----
<para>
<command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
that will be applied to objects created in the future. (It does not
! affect privileges assigned to already-existing objects.) Privileges can be
! set globally (i.e., for all objects created in the current database), or
! just for objects created in specified schemas.
</para>
<para>
! Default privileges apply only to the active role; the default
! privileges of member roles have no affect on object permissions.
! <command>SET ROLE</command> can be used to change the active user and
! apply their default privileges.
! </para>
!
! <para>
! As a non-superuser, you can change your own default privileges and
! the defauls of roles that you are a member of. There is no way to
! set default privileges for a role and all its members with a single
! command; individual <command>ALTER DEFAULT PRIVILEGES</command>
! commands must be run to achieve this.
</para>
<para>
*************** REVOKE [ GRANT OPTION FOR ]
*** 119,124 ****
--- 120,138 ----
</para>
<para>
+ Currently,
+ only the privileges for schemas, tables (including views and foreign
+ tables), sequences, functions, and types (including domains) can be
+ altered. For this command, functions include aggregates and procedures.
+ The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
+ equivalent in this command. (<literal>ROUTINES</literal> is preferred
+ going forward as the standard term for functions and procedures taken
+ together. In earlier PostgreSQL releases, only the
+ word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
+ default privileges for functions and procedures separately.)
+ </para>
+
+ <para>
Default privileges that are specified per-schema are added to whatever
the global default privileges are for the particular object type.
This means you cannot revoke privileges per-schema if they are granted
*************** REVOKE [ GRANT OPTION FOR ]
*** 136,147 ****
<term><replaceable>target_role</replaceable></term>
<listitem>
<para>
! The name of an existing role of which the current role is a member.
! Default access privileges are not inherited, so member roles
! must use <command>SET ROLE</command> to access these privileges,
! or <command>ALTER DEFAULT PRIVILEGES</command> must be run for
! each member role. If <literal>FOR ROLE</literal> is omitted,
! the current role is assumed.
</para>
</listitem>
</varlistentry>
--- 150,158 ----
<term><replaceable>target_role</replaceable></term>
<listitem>
<para>
! Change default privileges for objects created by the
! <replaceable>target_role</replaceable>, or the current
! role if unspecified.
</para>
</listitem>
</varlistentry>
