doc: restructure ALTER DEFAULT PRIVILEGES

Clarify that default privileges are not inherited and reorder paragraphs. This is a follow up to a recent ALTER DEFAULT PRIVILEGES doc patch. Reported-by: Sanjay Minni Diagnosed-by: AMpxBo=M35hcH1g4Vg=KRJ0-77FOJcvdrdiVF5KSOAdOG-LvKQ@mail.gmail.com Co-authored-by: Laurenz Albe Backpatch-through: 16
author: Bruce Momjian <bruce@momjian.us> 2023-11-13 14:27:38 -0500
committer: Bruce Momjian <bruce@momjian.us> 2023-11-13 14:27:38 -0500
commit: 151a0ee76dc7204b858d84f128e6f819f1393040 (patch)
tree: 1f7e611646666dcfb5726cb46afa1f1711326bbc /doc/src
parent: 83472de606db42a1e1f59ab2c3d0e5ae0b95e739 (diff)
download: postgresql-151a0ee76dc7204b858d84f128e6f819f1393040.tar.gz
postgresql-151a0ee76dc7204b858d84f128e6f819f1393040.zip
1 files changed, 26 insertions, 22 deletions
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index 8a6006188d3..78744470c8d 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -88,25 +88,19 @@ REVOKE [ GRANT OPTION FOR ]
   <title>Description</title>
 
   <para>
-   <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
-   that will be applied to objects created in the future.  (It does not
-   affect privileges assigned to already-existing objects.)  Currently,
-   only the privileges for schemas, tables (including views and foreign
-   tables), sequences, functions, and types (including domains) can be
-   altered.  For this command, functions include aggregates and procedures.
-   The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
-   equivalent in this command.  (<literal>ROUTINES</literal> is preferred
-   going forward as the standard term for functions and procedures taken
-   together.  In earlier PostgreSQL releases, only the
-   word <literal>FUNCTIONS</literal> was allowed.  It is not possible to set
-   default privileges for functions and procedures separately.)
+   <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the
+   privileges that will be applied to objects created in the future.
+   (It does not affect privileges assigned to already-existing objects.)
+   Privileges can be set globally (i.e., for all objects created in the
+   current database), or just for objects created in specified schemas.
   </para>
 
   <para>
-   You can change default privileges only for objects that will be created by
-   yourself or by roles that you are a member of.  The privileges can be set
-   globally (i.e., for all objects created in the current database),
-   or just for objects created in specified schemas.
+   While you can change your own default privileges and the defaults of
+   roles that you are a member of, at object creation time, new object
+   permissions are only affected by the default privileges of the current
+   role, and are not inherited from any roles in which the current role
+   is a member.
   </para>
 
   <para>
@@ -119,6 +113,19 @@ REVOKE [ GRANT OPTION FOR ]
   </para>
 
   <para>
+   Currently,
+   only the privileges for schemas, tables (including views and foreign
+   tables), sequences, functions, and types (including domains) can be
+   altered.  For this command, functions include aggregates and procedures.
+   The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
+   equivalent in this command.  (<literal>ROUTINES</literal> is preferred
+   going forward as the standard term for functions and procedures taken
+   together.  In earlier PostgreSQL releases, only the
+   word <literal>FUNCTIONS</literal> was allowed.  It is not possible to set
+   default privileges for functions and procedures separately.)
+  </para>
+
+  <para>
    Default privileges that are specified per-schema are added to whatever
    the global default privileges are for the particular object type.
    This means you cannot revoke privileges per-schema if they are granted
@@ -136,12 +143,9 @@ REVOKE [ GRANT OPTION FOR ]
     <term><replaceable>target_role</replaceable></term>
     <listitem>
      <para>
-      The name of an existing role of which the current role is a member.
-      Default access privileges are not inherited, so member roles
-      must use <command>SET ROLE</command> to access these privileges,
-      or <command>ALTER DEFAULT PRIVILEGES</command> must be run for
-      each member role.  If <literal>FOR ROLE</literal> is omitted,
-      the current role is assumed.
+      Change default privileges for objects created by the
+      <replaceable>target_role</replaceable>, or the current
+      role if unspecified.
      </para>
     </listitem>
    </varlistentry>
author	Bruce Momjian <bruce@momjian.us>	2023-11-13 14:27:38 -0500
committer	Bruce Momjian <bruce@momjian.us>	2023-11-13 14:27:38 -0500
commit	151a0ee76dc7204b858d84f128e6f819f1393040 (patch)
tree	1f7e611646666dcfb5726cb46afa1f1711326bbc /doc/src
parent	83472de606db42a1e1f59ab2c3d0e5ae0b95e739 (diff)
download	postgresql-151a0ee76dc7204b858d84f128e6f819f1393040.tar.gz postgresql-151a0ee76dc7204b858d84f128e6f819f1393040.zip