On Mon, Nov 6, 2023 at 09:53:50PM +0100, Laurenz Albe wrote: > On Mon, 2023-11-06 at 10:55 -0500, Bruce Momjian wrote: > > Okay, I think I have good wording for this. I didn't like the wording > > of other roles, so I restructured that in the attached patch too. > > > <para> > > ! Default privileges apply only to the active role; the default > > ! privileges of member roles have no affect on object permissions. > > ! <command>SET ROLE</command> can be used to change the active user and > > ! apply their default privileges. > > ! </para> > > You don't mean member roles, but roles that the active role is a member of, > right?
Yes, sorry fixed in the attached patch. > + <para> > + As a non-superuser, you can change default privileges only on objects > created > + by yourself or by roles that you are a member of. However, you don't > inherit > + altered default privileges from roles you are a member of; objects you > create > + will receive the default privileges for your current role. > + </para> I went with different wording since I found the above confusing. You didn't seem to like my SET ROLE suggestion so I removed it. > + > + <para> > + There is no way to change the default privileges for objects created by > + arbitrary roles. You have run <command>ALTER DEFAULT PRIVILEGES</command> I find the above sentence odd. What is its purpose? > + for any role that can create objects whose default privileges should be > + modified. > + </para> > + > + <para> > + Currently, > + only the privileges for schemas, tables (including views and foreign > + tables), sequences, functions, and types (including domains) can be > + altered. For this command, functions include aggregates and procedures. > + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are > + equivalent in this command. (<literal>ROUTINES</literal> is preferred > + going forward as the standard term for functions and procedures taken > + together. In earlier PostgreSQL releases, only the > + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set > + default privileges for functions and procedures separately.) > + </para> > + > <para> > Default privileges that are specified per-schema are added to whatever > the global default privileges are for the particular object type. > @@ -136,8 +149,9 @@ REVOKE [ GRANT OPTION FOR ] > <term><replaceable>target_role</replaceable></term> > <listitem> > <para> > - The name of an existing role of which the current role is a member. > - If <literal>FOR ROLE</literal> is omitted, the current role is assumed. > + Default privileges are changed for objects created by the > + <replaceable>target_role</replaceable>, or the current > + role if unspecified. I like a verb to be first, like "Change" rather than "default privileges". Patch attached. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml index 8a6006188d..78744470c8 100644 --- a/doc/src/sgml/ref/alter_default_privileges.sgml +++ b/doc/src/sgml/ref/alter_default_privileges.sgml @@ -88,25 +88,19 @@ REVOKE [ GRANT OPTION FOR ] <title>Description</title> <para> - <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges - that will be applied to objects created in the future. (It does not - affect privileges assigned to already-existing objects.) Currently, - only the privileges for schemas, tables (including views and foreign - tables), sequences, functions, and types (including domains) can be - altered. For this command, functions include aggregates and procedures. - The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are - equivalent in this command. (<literal>ROUTINES</literal> is preferred - going forward as the standard term for functions and procedures taken - together. In earlier PostgreSQL releases, only the - word <literal>FUNCTIONS</literal> was allowed. It is not possible to set - default privileges for functions and procedures separately.) + <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the + privileges that will be applied to objects created in the future. + (It does not affect privileges assigned to already-existing objects.) + Privileges can be set globally (i.e., for all objects created in the + current database), or just for objects created in specified schemas. </para> <para> - You can change default privileges only for objects that will be created by - yourself or by roles that you are a member of. The privileges can be set - globally (i.e., for all objects created in the current database), - or just for objects created in specified schemas. + While you can change your own default privileges and the defaults of + roles that you are a member of, at object creation time, new object + permissions are only affected by the default privileges of the current + role, and are not inherited from any roles in which the current role + is a member. </para> <para> @@ -118,6 +112,19 @@ REVOKE [ GRANT OPTION FOR ] <command>ALTER DEFAULT PRIVILEGES</command>. </para> + <para> + Currently, + only the privileges for schemas, tables (including views and foreign + tables), sequences, functions, and types (including domains) can be + altered. For this command, functions include aggregates and procedures. + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are + equivalent in this command. (<literal>ROUTINES</literal> is preferred + going forward as the standard term for functions and procedures taken + together. In earlier PostgreSQL releases, only the + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set + default privileges for functions and procedures separately.) + </para> + <para> Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type. @@ -136,12 +143,9 @@ REVOKE [ GRANT OPTION FOR ] <term><replaceable>target_role</replaceable></term> <listitem> <para> - The name of an existing role of which the current role is a member. - Default access privileges are not inherited, so member roles - must use <command>SET ROLE</command> to access these privileges, - or <command>ALTER DEFAULT PRIVILEGES</command> must be run for - each member role. If <literal>FOR ROLE</literal> is omitted, - the current role is assumed. + Change default privileges for objects created by the + <replaceable>target_role</replaceable>, or the current + role if unspecified. </para> </listitem> </varlistentry>