On Friday, July 5, 2024, Tefft, Michael J <michael.j.te...@snapon.com> wrote:
> I am trying to remove the default grant of EXECUTE on all > functions/procedures to PUBLIC. > > From my reading, there is no straightforward way to do this. For example, > > ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC; > > Does not apply this across the entire cluster (or database) but only > applies to the role who issued it (and objects yet to be created by that > role) . > > So I am arriving at the conclusion that I need to alter the default > privileges for every existing role (which I expected), and ensure that > default privileges are altered for every new role that is created going > forward. > > > > Have I analyzed this correctly? > > > Only those roles that have create privilege on one or more schemas. That should be a reasonably finite and static set. David J.
