You can change default privileges only for objects that will be created by
yourself or by roles that you are a member of. The privileges can be set
globally (i.e., for all objects created in the current database),
- or just for objects created in specified schemas. Default privileges
- that are specified per-schema are added to whatever the global default
- privileges are for the particular object type.
+ or just for objects created in specified schemas.
ALTER DEFAULT PRIVILEGES.
+ Default privileges that are specified per-schema are added to whatever
+ the global default privileges are for the particular object type.
+ This means you cannot revoke privileges per-schema if they are granted
+ globally (either by default, or according to a previous ALTER
+ DEFAULT PRIVILEGES command that did not specify a schema).
+ Per-schema REVOKE is only useful to reverse the
+ effects of a previous per-schema GRANT.
+
+
Parameters
are altered for objects later created in that schema.
If IN SCHEMA is omitted, the global default privileges
are altered.
- IN SCHEMA is not allowed when using ON SCHEMAS
- as schemas can't be nested.
+ IN SCHEMA is not allowed when setting privileges
+ for schemas, since schemas can't be nested.
Remove the public EXECUTE permission that is normally granted on functions,
for all functions subsequently created by role admin:
-
ALTER DEFAULT PRIVILEGES FOR ROLE admin REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
-
+
+ Note however that you cannot accomplish that effect
+ with a command limited to a single schema. This command has no effect,
+ unless it is undoing a matching GRANT:
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
+
+ That's because per-schema default privileges can only add privileges to
+ the global setting, not remove privileges granted by it.
+
projects / postgresql.git / commitdiff