aboutsummaryrefslogtreecommitdiff
path: root/doc/src
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src')
-rw-r--r--doc/src/sgml/ref/alter_role.sgml4
-rw-r--r--doc/src/sgml/ref/create_role.sgml11
2 files changed, 12 insertions, 3 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index aef30521bcc..5aa5648ae7b 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -71,7 +71,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
Attributes not mentioned in the command retain their previous settings.
Database superusers can change any of these settings for any role.
Roles having <literal>CREATEROLE</literal> privilege can change any of these
- settings, but only for non-superuser and non-replication roles.
+ settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
+ and <literal>BYPASSRLS</literal>; but only for non-superuser and
+ non-replication roles.
Ordinary roles can only change their own password.
</para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index d23133945db..73b30d7b23c 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -181,6 +181,8 @@ in sync when changing the above synopsis!
highly privileged role, and should only be used on roles actually
used for replication. If not specified,
<literal>NOREPLICATION</literal> is the default.
+ You must be a superuser to create a new role having the
+ <literal>REPLICATION</literal> attribute.
</para>
</listitem>
</varlistentry>
@@ -192,11 +194,16 @@ in sync when changing the above synopsis!
<para>
These clauses determine whether a role bypasses every row-level
security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default.
+ You must be a superuser to create a new role having
+ the <literal>BYPASSRLS</literal> attribute.
+ </para>
+
+ <para>
Note that pg_dump will set <literal>row_security</literal> to
<literal>OFF</literal> by default, to ensure all contents of a table are
dumped out. If the user running pg_dump does not have appropriate
- permissions, an error will be returned. The superuser and owner of the
- table being dumped always bypass RLS.
+ permissions, an error will be returned. However, superusers and the
+ owner of the table being dumped always bypass RLS.
</para>
</listitem>
</varlistentry>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-29 09:46:15 +0000