Re: New predefined roles- 'pg_read/write_all_data'

Greetings,

* Michael Banck (michael(dot)banck(at)credativ(dot)de) wrote:
> On Thu, Apr 01, 2021 at 04:00:06PM -0400, Stephen Frost wrote:
> > diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
> > index d171b13236..fe0bdb7599 100644
> > --- a/doc/src/sgml/user-manag.sgml
> > +++ b/doc/src/sgml/user-manag.sgml
> > @@ -518,6 +518,24 @@ DROP ROLE doomed_role;
> > </row>
> > </thead>
> > <tbody>
> > + <row>
> > + <entry>pg_read_all_data</entry>
> > + <entry>Read all data (tables, views, sequences), as if having SELECT
> > + rights on those objects, and USAGE rights on all schemas, even without
> > + having it explicitly. This role does not have the role attribute
> > + <literal>BYPASSRLS</literal> set. If RLS is being used, an administrator
> > + may wish to set <literal>BYPASSRLS</literal> on roles which this role is
> > + GRANTed to.</entry>
> > + </row>
> > + <row>
> > + <entry>pg_write_all_data</entry>
> > + <entry>Write all data (tables, views, sequences), as if having INSERT,
> > + UPDATE, and DELETE rights on those objects, and USAGE rights on all
> > + schemas, even without having it explicitly. This role does not have the
> > + role attribute <literal>BYPASSRLS</literal> set. If RLS is being used,
> > + an administrator may wish to set <literal>BYPASSRLS</literal> on roles
> > + which this role is GRANTed to.</entry>
> > + </row>
>
> Shouldn't those "SELECT", "INSERT" etc. be wrapped in <command> tags?

Yeah, good point, fixed.

Thanks!

Stephen