Re: Version 14/15 documentation Section "Alter Default Privileges"

On Mon, Nov 6, 2023 at 09:53:50PM +0100, Laurenz Albe wrote:
> On Mon, 2023-11-06 at 10:55 -0500, Bruce Momjian wrote:
> > Okay, I think I have good wording for this. I didn't like the wording
> > of other roles, so I restructured that in the attached patch too.
>
> > <para>
> > ! Default privileges apply only to the active role; the default
> > ! privileges of member roles have no affect on object permissions.
> > ! <command>SET ROLE</command> can be used to change the active user and
> > ! apply their default privileges.
> > ! </para>
>
> You don't mean member roles, but roles that the active role is a member of,
> right?

Yes, sorry fixed in the attached patch.

> + <para>
> + As a non-superuser, you can change default privileges only on objects created
> + by yourself or by roles that you are a member of. However, you don't inherit
> + altered default privileges from roles you are a member of; objects you create
> + will receive the default privileges for your current role.
> + </para>

I went with different wording since I found the above confusing.

You didn't seem to like my SET ROLE suggestion so I removed it.

> +
> + <para>
> + There is no way to change the default privileges for objects created by
> + arbitrary roles. You have run <command>ALTER DEFAULT PRIVILEGES</command>

I find the above sentence odd. What is its purpose?

> + for any role that can create objects whose default privileges should be
> + modified.
> + </para>
> +
> + <para>
> + Currently,
> + only the privileges for schemas, tables (including views and foreign
> + tables), sequences, functions, and types (including domains) can be
> + altered. For this command, functions include aggregates and procedures.
> + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
> + equivalent in this command. (<literal>ROUTINES</literal> is preferred
> + going forward as the standard term for functions and procedures taken
> + together. In earlier PostgreSQL releases, only the
> + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
> + default privileges for functions and procedures separately.)
> + </para>
> +
> <para>
> Default privileges that are specified per-schema are added to whatever
> the global default privileges are for the particular object type.
> @@ -136,8 +149,9 @@ REVOKE [ GRANT OPTION FOR ]
> <term><replaceable>target_role</replaceable></term>
> <listitem>
> <para>
> - The name of an existing role of which the current role is a member.
> - If <literal>FOR ROLE</literal> is omitted, the current role is assumed.
> + Default privileges are changed for objects created by the
> + <replaceable>target_role</replaceable>, or the current
> + role if unspecified.

I like a verb to be first, like "Change" rather than "default
privileges".

Patch attached.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.