From af019fb9aec0274875a10a89c68c8fecb949349f Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Tue, 26 Jul 2005 16:38:29 +0000
Subject: Add a role property 'rolinherit' which, when false, denotes that the
 role doesn't automatically inherit the privileges of roles it is a member of;
 for such a role, membership in another role can be exploited only by doing
 explicit SET ROLE.  The default inherit setting is TRUE, so by default the
 behavior doesn't change, but creating a user with NOINHERIT gives closer
 adherence to our current reading of SQL99.  Documentation still lacking, and
 I think the information schema needs another look.

---
 doc/src/sgml/catalogs.sgml | 30 +++++++++++++++++++++++++++++-
 doc/src/sgml/func.sgml     |  9 +++++++--
 2 files changed, 36 insertions(+), 3 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index fa0abca950c..0c8ed68195d 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1,6 +1,6 @@
 <!--
  Documentation of the system catalogs, directed toward PostgreSQL developers
- $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.108 2005/07/14 05:13:38 tgl Exp $
+ $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.109 2005/07/26 16:38:25 tgl Exp $
  -->
 
 <chapter id="catalogs">
@@ -976,6 +976,14 @@
       <entry>Role has superuser privileges</entry>
      </row>
 
+     <row>
+      <entry><structfield>rolinherit</structfield></entry>
+      <entry><type>bool</type></entry>
+      <entry></entry>
+      <entry>Role automatically inherits privileges of roles it is a
+       member of</entry>
+     </row>
+
      <row>
       <entry><structfield>rolcreaterole</structfield></entry>
       <entry><type>bool</type></entry>
@@ -4728,6 +4736,11 @@
    that blanks out the password field.
   </para>
 
+  <para>
+   This view explicitly exposes the OID column of the underlying table,
+   since that is needed to do joins to other catalogs.
+  </para>
+
   <table>
    <title><structname>pg_roles</> Columns</title>
 
@@ -4756,6 +4769,14 @@
       <entry>Role has superuser privileges</entry>
      </row>
 
+     <row>
+      <entry><structfield>rolinherit</structfield></entry>
+      <entry><type>bool</type></entry>
+      <entry></entry>
+      <entry>Role automatically inherits privileges of roles it is a
+       member of</entry>
+     </row>
+
      <row>
       <entry><structfield>rolcreaterole</structfield></entry>
       <entry><type>bool</type></entry>
@@ -4811,6 +4832,13 @@
       <entry></entry>
       <entry>Session defaults for run-time configuration variables</entry>
      </row>
+
+     <row>
+      <entry><structfield>oid</structfield></entry>
+      <entry><type>oid</type></entry>
+      <entry><literal><link linkend="catalog-pg-authid"><structname>pg_authid</structname></link>.oid</literal></entry>
+      <entry>ID of role</entry>
+     </row>
     </tbody>
    </tgroup>
   </table>
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index b5ce30105bc..0fdcb1d0df1 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.271 2005/07/26 00:04:17 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.272 2005/07/26 16:38:25 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -8559,7 +8559,12 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
     can access a role in a particular way.  The possibilities for its
     arguments are analogous to <function>has_table_privilege</function>.
     The desired access privilege type must evaluate to
-    <literal>MEMBER</literal>.
+    <literal>MEMBER</literal> or
+    <literal>USAGE</literal>.
+    <literal>MEMBER</literal> denotes direct or indirect membership in
+    the role (that is, the right to do <literal>SET ROLE</>), while
+    <literal>USAGE</literal> denotes whether the privileges of the role
+    are immediately available without doing <literal>SET ROLE</>.
    </para>
 
    <para>
-- 
cgit v1.2.3