3 files changed, 12 insertions, 8 deletions

diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index 2c24fd9c139..b1ec461f53e 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -805,9 +805,9 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
     <note>
      <para>
       It is recommended that a dedicated user account is used for replication.
-      While it is possible to add  the <literal>REPLICATION</> privilege to
-      a superuser account for the purporses of replication, this is not
-      recommended. While <literal>REPLICATION</> privilege gives very high
+      While the <literal>REPLICATION</> privilege is granted to superuser
+      accounts by default, it is not recommended to use superuser accounts
+      for replication. While <literal>REPLICATION</> privilege gives very high
       permissions, it does not allow the user to modify any data on the
       primary system, which the <literal>SUPERUSER</> privilege does.
      </para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index 7cc7f149fdc..43bec5d8e13 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -185,7 +185,8 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         A role having the <literal>REPLICATION</> attribute is a very
         highly privileged role, and should only be used on roles actually
         used for replication. If not specified,
-        <literal>NOREPLICATION</literal> is the default.
+        <literal>NOREPLICATION</literal> is the default for all roles except
+        superusers.
        </para>
       </listitem>
      </varlistentry>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 08b3fb7dc42..2830aec49ca 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -175,7 +175,11 @@ CREATE USER <replaceable>name</replaceable>;
         to do most of your work as a role that is not a superuser.
         To create a new database superuser, use <literal>CREATE ROLE
         <replaceable>name</replaceable> SUPERUSER</literal>.  You must do
-        this as a role that is already a superuser.
+        this as a role that is already a superuser. Creating a superuser
+        will by default also grant permissions to initiate streaming
+        replication. For increased security this can be disallowed using
+        <literal>CREATE ROLE <replaceable>name</replaceable> SUPERUSER
+        NOREPLICATION</literal>.
        </para>
       </listitem>
      </varlistentry>
@@ -214,9 +218,8 @@ CREATE USER <replaceable>name</replaceable>;
       <listitem>
        <para>
         A role must explicitly be given permission to initiate streaming
-        replication (superusers do not bypass this check). A role used
-        for streaming replication must always have <literal>LOGIN</>
-        permission as well. To create such a role, use
+        replication. A role used for streaming replication must always
+        have <literal>LOGIN</> permission as well. To create such a role, use
         <literal>CREATE ROLE <replaceable>name</replaceable> REPLICATION
         LOGIN</literal>.
        </para>