Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 86be645

Browse filesBrowse files
tglsfdctglsfdc
committed
Doc: improve discussion of object owners' inherent privileges.
In particular, clarify that the role membership mechanism allows members to inherit the ownership privileges of an object's owning role. Laurenz Albe, with some kibitzing by me Discussion: https://postgr.es/m/504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at
1 parent a28704a commit 86be645
Copy full SHA for 86be645

File tree

Expand file treeCollapse file tree

1 file changed

+13
-10
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+13
-10
lines changed

‎doc/src/sgml/ddl.sgml

Copy file name to clipboardExpand all lines: doc/src/sgml/ddl.sgml
+13-10Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items;
15781578
</para>
15791579

15801580
<para>
1581-
The right to modify or destroy an object is always the privilege of
1582-
the owner only.
1581+
The right to modify or destroy an object is inherent in being the
1582+
object's owner, and cannot be granted or revoked in itself.
1583+
(However, like all privileges, that right can be inherited by
1584+
members of the owning role; see <xref linkend="role-membership"/>.)
15831585
</para>
15841586

15851587
<para>
@@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe;
16141616
</para>
16151617

16161618
<para>
1617-
To revoke a privilege, use the fittingly named
1619+
To revoke a previously-granted privilege, use the fittingly named
16181620
<xref linkend="sql-revoke"/> command:
16191621
<programlisting>
16201622
REVOKE ALL ON accounts FROM PUBLIC;
16211623
</programlisting>
1622-
The special privileges of the object owner (i.e., the right to do
1623-
<command>DROP</command>, <command>GRANT</command>, <command>REVOKE</command>, etc.)
1624-
are always implicit in being the owner,
1625-
and cannot be granted or revoked. But the object owner can choose
1626-
to revoke their own ordinary privileges, for example to make a
1627-
table read-only for themselves as well as others.
16281624
</para>
16291625

16301626
<para>
@@ -1638,6 +1634,13 @@ REVOKE ALL ON accounts FROM PUBLIC;
16381634
<xref linkend="sql-revoke"/> reference pages.
16391635
</para>
16401636

1637+
<para>
1638+
An object's owner can choose to revoke their own ordinary privileges,
1639+
for example to make a table read-only for themselves as well as others.
1640+
But owners are always treated as holding all grant options, so they
1641+
can always re-grant their own privileges.
1642+
</para>
1643+
16411644
<para>
16421645
The available privileges are:
16431646

@@ -4695,7 +4698,7 @@ EXPLAIN SELECT count(*) FROM measurement WHERE logdate &gt;= DATE '2008-01-01';
46954698
</itemizedlist>
46964699
</para>
46974700
</sect2>
4698-
4701+
46994702
<sect2 id="ddl-partitioning-declarative-best-practices">
47004703
<title>Declarative Partitioning Best Practices</title>
47014704

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.