Home Explore Blog CI



postgresql
4th chunk of `doc/src/sgml/ref/alter_default_privileges.sgml`
e0927bcab4d4c05240cf02dee46783d15b26cea3410663830000000100000cbc
   </listitem>
   </varlistentry>

   <varlistentry>
    <term><replaceable>role_name</replaceable></term>
    <listitem>
     <para>
      The name of an existing role to grant or revoke privileges for.
      This parameter, and all the other parameters in
      <replaceable class="parameter">abbreviated_grant_or_revoke</replaceable>,
      act as described under
      <xref linkend="sql-grant"/> or
      <xref linkend="sql-revoke"/>,
      except that one is setting permissions for a whole class of objects
      rather than specific named objects.
     </para>
    </listitem>
   </varlistentry>
  </variablelist>
 </refsect2>
 </refsect1>

 <refsect1 id="sql-alterdefaultprivileges-notes">
  <title>Notes</title>

  <para>
   Use <xref linkend="app-psql"/>'s <command>\ddp</command> command
   to obtain information about existing assignments of default privileges.
   The meaning of the privilege display is the same as explained for
   <command>\dp</command> in <xref linkend="ddl-priv"/>.
  </para>

  <para>
   If you wish to drop a role for which the default privileges have been
   altered, it is necessary to reverse the changes in its default privileges
   or use <command>DROP OWNED BY</command> to get rid of the default privileges entry
   for the role.
  </para>
 </refsect1>

 <refsect1 id="sql-alterdefaultprivileges-examples">
  <title>Examples</title>

  <para>
   Grant SELECT privilege to everyone for all tables (and views) you
   subsequently create in schema <literal>myschema</literal>, and allow
   role <literal>webuser</literal> to INSERT into them too:

<programlisting>
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO PUBLIC;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT INSERT ON TABLES TO webuser;
</programlisting>
  </para>

  <para>
   Undo the above, so that subsequently-created tables won't have any
   more permissions than normal:

<programlisting>
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema REVOKE SELECT ON TABLES FROM PUBLIC;
ALTER DEFAULT PRIVILEGES IN SCHEMA myschema REVOKE INSERT ON TABLES FROM webuser;
</programlisting>
  </para>

  <para>
   Remove the public EXECUTE permission that is normally granted on functions,
   for all functions subsequently created by role <literal>admin</literal>:
<programlisting>
ALTER DEFAULT PRIVILEGES FOR ROLE admin REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
</programlisting>
   Note however that you <emphasis>cannot</emphasis> accomplish that effect
   with a command limited to a single schema.  This command has no effect,
   unless it is undoing a matching <literal>GRANT</literal>:
<programlisting>
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
</programlisting>
   That's because per-schema default privileges can only add privileges to
   the global setting, not remove privileges granted by it.
  </para>
 </refsect1>

 <refsect1>
  <title>Compatibility</title>

  <para>
   There is no <command>ALTER DEFAULT PRIVILEGES</command> statement in the SQL
   standard.
  </para>
 </refsect1>

 <refsect1>
  <title>See Also</title>

  <simplelist type="inline">
   <member><xref linkend="sql-grant"/></member>
   <member><xref linkend="sql-revoke"/></member>
  </simplelist>
 </refsect1>

</refentry>
Title: ALTER DEFAULT PRIVILEGES - Notes, Examples, Compatibility, and See Also
Summary
This section provides notes on using the `\ddp` command to view default privileges and the need to reverse changes or use `DROP OWNED BY` when dropping a role with altered default privileges. It includes examples of granting and revoking privileges on tables and functions, emphasizing the scope of per-schema vs. global settings. It notes the absence of this command in the SQL standard and lists related commands for reference.