diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2019-11-20 12:27:00 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2019-11-20 12:27:00 -0500 |
| commit | 86be6453ba295c3af222ee1e27a243d378070e92 (patch) | |
| tree | 40481e185e05a40332011ff3749d2a4f2b57ea33 | |
| parent | a28704af42c68e659cdeeec5b5b2fc84054ae02c (diff) | |
| download | postgresql-86be6453ba295c3af222ee1e27a243d378070e92.tar.gz postgresql-86be6453ba295c3af222ee1e27a243d378070e92.zip | |
Doc: improve discussion of object owners' inherent privileges.
In particular, clarify that the role membership mechanism allows
members to inherit the ownership privileges of an object's owning
role.
Laurenz Albe, with some kibitzing by me
Discussion: https://postgr.es/m/504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at
| -rw-r--r-- | doc/src/sgml/ddl.sgml | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index 9d6ec2c7382..0be07747489 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items; </para> <para> - The right to modify or destroy an object is always the privilege of - the owner only. + The right to modify or destroy an object is inherent in being the + object's owner, and cannot be granted or revoked in itself. + (However, like all privileges, that right can be inherited by + members of the owning role; see <xref linkend="role-membership"/>.) </para> <para> @@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe; </para> <para> - To revoke a privilege, use the fittingly named + To revoke a previously-granted privilege, use the fittingly named <xref linkend="sql-revoke"/> command: <programlisting> REVOKE ALL ON accounts FROM PUBLIC; </programlisting> - The special privileges of the object owner (i.e., the right to do - <command>DROP</command>, <command>GRANT</command>, <command>REVOKE</command>, etc.) - are always implicit in being the owner, - and cannot be granted or revoked. But the object owner can choose - to revoke their own ordinary privileges, for example to make a - table read-only for themselves as well as others. </para> <para> @@ -1639,6 +1635,13 @@ REVOKE ALL ON accounts FROM PUBLIC; </para> <para> + An object's owner can choose to revoke their own ordinary privileges, + for example to make a table read-only for themselves as well as others. + But owners are always treated as holding all grant options, so they + can always re-grant their own privileges. + </para> + + <para> The available privileges are: <variablelist> @@ -4695,7 +4698,7 @@ EXPLAIN SELECT count(*) FROM measurement WHERE logdate >= DATE '2008-01-01'; </itemizedlist> </para> </sect2> - + <sect2 id="ddl-partitioning-declarative-best-practices"> <title>Declarative Partitioning Best Practices</title> |