I was checking pg_roles.acl_default to see if my role-level ALTER DEFAULT PRIVILEGES had been effective. But I see the same content both before and after the ALTEr.
You mention that this needs to be done in each database. Is there a database-level version of pg_roles.acl_default that I should be checking instead? Thanks, Mike Tefft From: Tom Lane <t...@sss.pgh.pa.us> Sent: Friday, July 5, 2024 10:51 AM To: Tefft, Michael J <michael.j.te...@snapon.com> Cc: pgsql-general@lists.postgresql.org Subject: Re: Removing the default grant of EXECUTE on functions/procedures to PUBLIC "Tefft, Michael J" <Michael. J. Tefft@ snapon. com> writes: > I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC. >> From my reading, there is no straightforward way to do this. For example, "Tefft, Michael J" <michael.j.te...@snapon.com<mailto:michael.j.te...@snapon.com>> writes: > I am trying to remove the default grant of EXECUTE on all > functions/procedures to PUBLIC. >> From my reading, there is no straightforward way to do this. For example, > ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC; > Does not apply this across the entire cluster (or database) but only applies > to the role who issued it (and objects yet to be created by that role) . > So I am arriving at the conclusion that I need to alter the default > privileges for every existing role (which I expected), and ensure that > default privileges are altered for every new role that is created going > forward. > Have I analyzed this correctly? You'll also need to repeat the ALTERs in each database of your installation. regards, tom lane
