On Mon, Nov 6, 2023 at 09:44:14AM +0100, Laurenz Albe wrote: > On Sat, 2023-11-04 at 21:14 -0400, Bruce Momjian wrote: > > > It is not the role that is modified. Perhaps: > > > > > > [...]; if omitted, the current role is used. > > > > Sure, attached. Here is the issue I have though, we are really not > > changing default privileges for objects created in the future, we are > > changing the role _now_ so future objects will have different default > > privileges, right? I think wording like the above is kind of odd. > > I see what you mean. The alternative is to be precise, at the risk of > repeating ourselves: > > if omitted, default privileges will be changed for objects created by > the current role.
Okay, I think I have good wording for this. I didn't like the wording of other roles, so I restructured that in the attached patch too. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml new file mode 100644 index 8a60061..a868779 *** a/doc/src/sgml/ref/alter_default_privileges.sgml --- b/doc/src/sgml/ref/alter_default_privileges.sgml *************** REVOKE [ GRANT OPTION FOR ] *** 90,112 **** <para> <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges that will be applied to objects created in the future. (It does not ! affect privileges assigned to already-existing objects.) Currently, ! only the privileges for schemas, tables (including views and foreign ! tables), sequences, functions, and types (including domains) can be ! altered. For this command, functions include aggregates and procedures. ! The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are ! equivalent in this command. (<literal>ROUTINES</literal> is preferred ! going forward as the standard term for functions and procedures taken ! together. In earlier PostgreSQL releases, only the ! word <literal>FUNCTIONS</literal> was allowed. It is not possible to set ! default privileges for functions and procedures separately.) </para> <para> ! You can change default privileges only for objects that will be created by ! yourself or by roles that you are a member of. The privileges can be set ! globally (i.e., for all objects created in the current database), ! or just for objects created in specified schemas. </para> <para> --- 90,113 ---- <para> <command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges that will be applied to objects created in the future. (It does not ! affect privileges assigned to already-existing objects.) Privileges can be ! set globally (i.e., for all objects created in the current database), or ! just for objects created in specified schemas. </para> <para> ! Default privileges apply only to the active role; the default ! privileges of member roles have no affect on object permissions. ! <command>SET ROLE</command> can be used to change the active user and ! apply their default privileges. ! </para> ! ! <para> ! As a non-superuser, you can change your own default privileges and ! the defauls of roles that you are a member of. There is no way to ! set default privileges for a role and all its members with a single ! command; individual <command>ALTER DEFAULT PRIVILEGES</command> ! commands must be run to achieve this. </para> <para> *************** REVOKE [ GRANT OPTION FOR ] *** 119,124 **** --- 120,138 ---- </para> <para> + Currently, + only the privileges for schemas, tables (including views and foreign + tables), sequences, functions, and types (including domains) can be + altered. For this command, functions include aggregates and procedures. + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are + equivalent in this command. (<literal>ROUTINES</literal> is preferred + going forward as the standard term for functions and procedures taken + together. In earlier PostgreSQL releases, only the + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set + default privileges for functions and procedures separately.) + </para> + + <para> Default privileges that are specified per-schema are added to whatever the global default privileges are for the particular object type. This means you cannot revoke privileges per-schema if they are granted *************** REVOKE [ GRANT OPTION FOR ] *** 136,147 **** <term><replaceable>target_role</replaceable></term> <listitem> <para> ! The name of an existing role of which the current role is a member. ! Default access privileges are not inherited, so member roles ! must use <command>SET ROLE</command> to access these privileges, ! or <command>ALTER DEFAULT PRIVILEGES</command> must be run for ! each member role. If <literal>FOR ROLE</literal> is omitted, ! the current role is assumed. </para> </listitem> </varlistentry> --- 150,158 ---- <term><replaceable>target_role</replaceable></term> <listitem> <para> ! Change default privileges for objects created by the ! <replaceable>target_role</replaceable>, or the current ! role if unspecified. </para> </listitem> </varlistentry>