To Whom It May Concern;
Some additional clarity in the versions 14/15 documentation would be helpful
specifically surrounding the "target_role" clause for the ALTER DEFAULT
PRIVILEGES command. To the uninitiated, the current description seems vague.
Maybe something like the following would help:
target_role
The name of an existing role of which the current role is a
member. Default privileges are only applied to objects created by the targeted
role/user (FOR ROLE target_role). If the FOR ROLE clause is omitted, the
targeted user defaults to the current user executing the ALTER DEFAULT
PRIVILEGES command. The result can be seen using the following query:
select table_catalog as database
,table_schema
,table_name
,privilege_type
,grantee
,'revoke '||privilege_type||' on '||table_schema||'.'||table_name||'
from '||grantee||';' as revoke_stmt
from information_schema.table_privileges
where table_schema = 'my_schema'
and table_name = 'my_table'
order by 1,2,3,5,4;
Also, additional explanation about the differences between global defaults
versus schema-level defaults, and how to identify them, would be helpful.
Additional explanation about exactly what is happening would help to put this
command into perspective. On successful execution with the correct parameter
values, and using both the FOR ROLE and IN SCHEMA clauses, I also received
privilege grants directed to the user executing the ALTER DEFAULT PRIVILEGES
command. This was in addition to the expected privileges specified in the
command. I'm not sure why this occurred or how to eliminate it, in the
interest of establishing "least privilege" permissions.
Thank you.
David E. Burns, Jr. | Domain Architect | FedEx Services IT | Dock and Edge
Services | Mobile 412.304.8303
1000 FedEx Drive, Moon Township, PA 15108 |
[email protected]<mailto:[email protected]>
