target_role definition clarification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

target_role definition clarification

PG Bug reporting form
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/12/sql-alterdefaultprivileges.html
Description:

The documentation on ALTER DEFAULT PRIVILEGES currently defines the
parameter target_role like this:

> The name of an existing role of which the current role is a member. If FOR
ROLE is omitted, the current role is assumed.

To be honest, this didn't help me to understand the purpose of the FOR ROLE
clause. And the rest of the section doesn't really explain it, either.

Also, the first part doesn't seem to be true. I mean, as user postgres,
something like this succeeds:

```
> ALTER DEFAULT PRIVILEGES FOR ROLE juser IN SCHEMA public GRANT select ON
TABLES TO backenduser;
ALTER DEFAULT PRIVILEGES
```

Seems like a contradiction to the first sentence because user postgres
(although it's a superuser) isn't a member of role juser.

What I expected from that section is an explanation of the FOR ROLE
clause.

My current understanding is this: default privileges definitions are bound
to one or multiple roles. That means that only when the FOR ROLE role(s)
create(s) a specified object then the specified GRANT is automatically
applied to it. Other roles aren't affected by that default privileges
definition then.