On Mon, 2023-11-06 at 10:55 -0500, Bruce Momjian wrote: > Okay, I think I have good wording for this. I didn't like the wording > of other roles, so I restructured that in the attached patch too.
> <para> > ! Default privileges apply only to the active role; the default > ! privileges of member roles have no affect on object permissions. > ! <command>SET ROLE</command> can be used to change the active user and > ! apply their default privileges. > ! </para> You don't mean member roles, but roles that the active role is a member of, right? How do you like my version, as attached? Yours, Laurenz Albe
From eb251f000074ee10eff5cbd30ca9ee038a01b6f3 Mon Sep 17 00:00:00 2001 From: Laurenz Albe <laurenz.a...@cybertec.at> Date: Mon, 6 Nov 2023 21:44:23 +0100 Subject: [PATCH] Improve ALTER DEFAULT PRIVILEGES documentation Rewrite the documentation to emphasize two aspects that were previously missing, which frequently confused users: - you cannot inherit altered default privileges - you cannot alter the default privileges for any creating role by omitting FOR ROLE Author: Bruce Momjian, Laurenz Albe Reviewed-by: Michael Banck Discussion: https://postgr.es/m/LV2PR12MB5725F7C1B8EB2FC38829F276E7399%40LV2PR12MB5725.namprd12.prod.outlook.com --- .../sgml/ref/alter_default_privileges.sgml | 52 ++++++++++++------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml index f1d54f5aa3..7fab707a0d 100644 --- a/doc/src/sgml/ref/alter_default_privileges.sgml +++ b/doc/src/sgml/ref/alter_default_privileges.sgml @@ -90,34 +90,47 @@ REVOKE [ GRANT OPTION FOR ] <para> <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges that will be applied to objects created in the future. (It does not - affect privileges assigned to already-existing objects.) Currently, - only the privileges for schemas, tables (including views and foreign - tables), sequences, functions, and types (including domains) can be - altered. For this command, functions include aggregates and procedures. - The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are - equivalent in this command. (<literal>ROUTINES</literal> is preferred - going forward as the standard term for functions and procedures taken - together. In earlier PostgreSQL releases, only the - word <literal>FUNCTIONS</literal> was allowed. It is not possible to set - default privileges for functions and procedures separately.) - </para> - - <para> - You can change default privileges only for objects that will be created by - yourself or by roles that you are a member of. The privileges can be set - globally (i.e., for all objects created in the current database), - or just for objects created in specified schemas. + affect privileges assigned to already-existing objects.) Privileges can be + set globally (i.e., for all objects created in the current database), or + just for objects created in specified schemas. </para> <para> As explained in <xref linkend="ddl-priv"/>, the default privileges for any object type normally grant all grantable permissions to the object owner, and may grant some privileges to <literal>PUBLIC</literal> as well. However, this behavior can be changed by altering the global default privileges with <command>ALTER DEFAULT PRIVILEGES</command>. </para> + <para> + As a non-superuser, you can change default privileges only on objects created + by yourself or by roles that you are a member of. However, you don't inherit + altered default privileges from roles you are a member of; objects you create + will receive the default privileges for your current role. + </para> + + <para> + There is no way to change the default privileges for objects created by + arbitrary roles. You have run <command>ALTER DEFAULT PRIVILEGES</command> + for any role that can create objects whose default privileges should be + modified. + </para> + + <para> + Currently, + only the privileges for schemas, tables (including views and foreign + tables), sequences, functions, and types (including domains) can be + altered. For this command, functions include aggregates and procedures. + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are + equivalent in this command. (<literal>ROUTINES</literal> is preferred + going forward as the standard term for functions and procedures taken + together. In earlier PostgreSQL releases, only the + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set + default privileges for functions and procedures separately.) + </para> + <para> Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type. @@ -136,8 +149,9 @@ REVOKE [ GRANT OPTION FOR ] <term><replaceable>target_role</replaceable></term> <listitem> <para> - The name of an existing role of which the current role is a member. - If <literal>FOR ROLE</literal> is omitted, the current role is assumed. + Default privileges are changed for objects created by the + <replaceable>target_role</replaceable>, or the current + role if unspecified. </para> </listitem> </varlistentry> -- 2.41.0