diff options
author | Bruce Momjian <bruce@momjian.us> | 2023-11-13 14:27:38 -0500 |
---|---|---|
committer | Bruce Momjian <bruce@momjian.us> | 2023-11-13 14:27:38 -0500 |
commit | 151a0ee76dc7204b858d84f128e6f819f1393040 (patch) | |
tree | 1f7e611646666dcfb5726cb46afa1f1711326bbc /doc/src | |
parent | 83472de606db42a1e1f59ab2c3d0e5ae0b95e739 (diff) | |
download | postgresql-151a0ee76dc7204b858d84f128e6f819f1393040.tar.gz postgresql-151a0ee76dc7204b858d84f128e6f819f1393040.zip |
doc: restructure ALTER DEFAULT PRIVILEGES
Clarify that default privileges are not inherited and reorder
paragraphs. This is a follow up to a recent ALTER DEFAULT PRIVILEGES
doc patch.
Reported-by: Sanjay Minni
Diagnosed-by: AMpxBo=M35hcH1g4Vg=KRJ0-77FOJcvdrdiVF5KSOAdOG-LvKQ@mail.gmail.com
Co-authored-by: Laurenz Albe
Backpatch-through: 16
Diffstat (limited to 'doc/src')
-rw-r--r-- | doc/src/sgml/ref/alter_default_privileges.sgml | 48 |
1 files changed, 26 insertions, 22 deletions
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml index 8a6006188d3..78744470c8d 100644 --- a/doc/src/sgml/ref/alter_default_privileges.sgml +++ b/doc/src/sgml/ref/alter_default_privileges.sgml @@ -88,25 +88,19 @@ REVOKE [ GRANT OPTION FOR ] <title>Description</title> <para> - <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges - that will be applied to objects created in the future. (It does not - affect privileges assigned to already-existing objects.) Currently, - only the privileges for schemas, tables (including views and foreign - tables), sequences, functions, and types (including domains) can be - altered. For this command, functions include aggregates and procedures. - The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are - equivalent in this command. (<literal>ROUTINES</literal> is preferred - going forward as the standard term for functions and procedures taken - together. In earlier PostgreSQL releases, only the - word <literal>FUNCTIONS</literal> was allowed. It is not possible to set - default privileges for functions and procedures separately.) + <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the + privileges that will be applied to objects created in the future. + (It does not affect privileges assigned to already-existing objects.) + Privileges can be set globally (i.e., for all objects created in the + current database), or just for objects created in specified schemas. </para> <para> - You can change default privileges only for objects that will be created by - yourself or by roles that you are a member of. The privileges can be set - globally (i.e., for all objects created in the current database), - or just for objects created in specified schemas. + While you can change your own default privileges and the defaults of + roles that you are a member of, at object creation time, new object + permissions are only affected by the default privileges of the current + role, and are not inherited from any roles in which the current role + is a member. </para> <para> @@ -119,6 +113,19 @@ REVOKE [ GRANT OPTION FOR ] </para> <para> + Currently, + only the privileges for schemas, tables (including views and foreign + tables), sequences, functions, and types (including domains) can be + altered. For this command, functions include aggregates and procedures. + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are + equivalent in this command. (<literal>ROUTINES</literal> is preferred + going forward as the standard term for functions and procedures taken + together. In earlier PostgreSQL releases, only the + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set + default privileges for functions and procedures separately.) + </para> + + <para> Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type. This means you cannot revoke privileges per-schema if they are granted @@ -136,12 +143,9 @@ REVOKE [ GRANT OPTION FOR ] <term><replaceable>target_role</replaceable></term> <listitem> <para> - The name of an existing role of which the current role is a member. - Default access privileges are not inherited, so member roles - must use <command>SET ROLE</command> to access these privileges, - or <command>ALTER DEFAULT PRIVILEGES</command> must be run for - each member role. If <literal>FOR ROLE</literal> is omitted, - the current role is assumed. + Change default privileges for objects created by the + <replaceable>target_role</replaceable>, or the current + role if unspecified. </para> </listitem> </varlistentry> |