Re: Version 14/15 documentation Section "Alter Default Privileges"

Fri, 04 Nov 2022 02:49:53 -0700 

On Thu, 2022-11-03 at 11:32 +0100, Laurenz Albe wrote:
> On Wed, 2022-11-02 at 19:29 +0000, David Burns wrote:
> > To Whom It May Concern;
> 
> It concerns me, because I often see questions from people who misunderstand 
> this.
> 
> > Some additional clarity in the versions 14/15 documentation would be 
> > helpful specifically
> > surrounding the "target_role" clause for the ALTER DEFAULT PRIVILEGES 
> > command.
> > To the uninitiated, the current description seems vague.  Maybe something 
> > like the following would help:
> >  
> > target_role
> >        The name of an existing role of which the current role is a member.
> >        Default privileges are only applied to objects created by the 
> > targeted role/user (FOR ROLE target_role).
> >        If the FOR ROLE clause is omitted, the targeted user defaults to the 
> > current user executing the
> >        ALTER DEFAULT PRIVILEGES command.
> 
> +1

After some more thinking, I came up with the attached patch.

Yours,
Laurenz Albe

From 5f7e664ba6fea08dd5cac0c1c71a0ee77522d7c3 Mon Sep 17 00:00:00 2001
From: Laurenz Albe <laurenz.a...@cybertec.at>
Date: Fri, 4 Nov 2022 10:48:38 +0100
Subject: [PATCH] Improve ALTER DEFAULT PRIVILEGES documentation

Clarify that default privileges are only applied to objects
created by the target role.  This has been a frequent source
of misunderstandings.

Author: Laurenz Albe, per request from David Burns
Discussion: https://postgr.es/m/LV2PR12MB5725F7C1B8EB2FC38829F276E7399%40LV2PR12MB5725.namprd12.prod.outlook.com
---
 doc/src/sgml/ref/alter_default_privileges.sgml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index f1d54f5aa3..fcff17e642 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -138,6 +138,11 @@ REVOKE [ GRANT OPTION FOR ]
      <para>
       The name of an existing role of which the current role is a member.
       If <literal>FOR ROLE</literal> is omitted, the current role is assumed.
+      Default privileges are only applied to objects created by the
+      <replaceable>target_role</replaceable>.  There is no way to set default
+      privileges for objects created by arbitrary roles; for that, you'd have
+      to run <command>ALTER DEFAULT PRIVILEGES</command> for each role that can
+      create objects.
      </para>
     </listitem>
    </varlistentry>
-- 
2.38.1

Reply via email to