On Fri, 2023-10-27 at 11:34 +0200, Michael Banck wrote: > On Fri, Oct 27, 2023 at 09:03:04AM +0200, Laurenz Albe wrote: > > On Fri, 2022-11-04 at 10:49 +0100, Laurenz Albe wrote: > > > On Thu, 2022-11-03 at 11:32 +0100, Laurenz Albe wrote: > > > > On Wed, 2022-11-02 at 19:29 +0000, David Burns wrote: > > > > > Some additional clarity in the versions 14/15 documentation > > > > > would be helpful specifically surrounding the "target_role" > > > > > clause for the ALTER DEFAULT PRIVILEGES command. To the > > > > > uninitiated, the current description seems vague. Maybe > > > > > something like the following would help: > > > > > > After some more thinking, I came up with the attached patch. > > > I think something like this is highly useful because I have also seen > people very confused why default privileges are not applied. > > However, maybe it could be made even clearer if also the main > description is amended, like > > "You can change default privileges only for objects that will be created > by yourself or by roles that you are a member of (via target_role)." > > or something.
True. I have done that in the attached patch. In this patch, it is mentioned *twice* that ALTER DEFAULT PRIVILEGES only affects objects created by the current user. I thought that would not harm, but if it is too redundant, I can remove the second mention. Yours, Laurenz Albe
From 6c618553cc21639e774f6fd108423134139bfc0a Mon Sep 17 00:00:00 2001 From: Laurenz Albe <laurenz.a...@cybertec.at> Date: Fri, 27 Oct 2023 17:44:19 +0200 Subject: [PATCH] Improve ALTER DEFAULT PRIVILEGES documentation Clarify that default privileges are only applied to objects created by the target role. This has been a frequent source of misunderstandings. Per request from David Burns. Author: Laurenz Albe Reviewed-by: Michael Banck Discussion: https://postgr.es/m/LV2PR12MB5725F7C1B8EB2FC38829F276E7399%40LV2PR12MB5725.namprd12.prod.outlook.com --- doc/src/sgml/ref/alter_default_privileges.sgml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml index f1d54f5aa3..cf0ffa9c49 100644 --- a/doc/src/sgml/ref/alter_default_privileges.sgml +++ b/doc/src/sgml/ref/alter_default_privileges.sgml @@ -90,7 +90,10 @@ REVOKE [ GRANT OPTION FOR ] <para> <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges that will be applied to objects created in the future. (It does not - affect privileges assigned to already-existing objects.) Currently, + affect privileges assigned to already-existing objects.) <command>ALTER + DEFAULT PRIVILEGES</command> changes default privileges only for objects + that will be created by the user that executed the statement (or by + <replaceable>target_role</replaceable>, if specified). Currently, only the privileges for schemas, tables (including views and foreign tables), sequences, functions, and types (including domains) can be altered. For this command, functions include aggregates and procedures. @@ -138,6 +141,11 @@ REVOKE [ GRANT OPTION FOR ] <para> The name of an existing role of which the current role is a member. If <literal>FOR ROLE</literal> is omitted, the current role is assumed. + Default privileges are only changed for new objects created by the + <replaceable>target_role</replaceable>. There is no way to set default + privileges for objects created by arbitrary roles; for that, you'd have + to run <command>ALTER DEFAULT PRIVILEGES</command> for each role that can + create objects. </para> </listitem> </varlistentry> -- 2.41.0
