1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>ALTER DEFAULT PRIVILEGES</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="sql-alterdatabase.html" title="ALTER DATABASE" /><link rel="next" href="sql-alterdomain.html" title="ALTER DOMAIN" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">ALTER DEFAULT PRIVILEGES</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sql-alterdatabase.html" title="ALTER DATABASE">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><th width="60%" align="center">SQL Commands</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sql-alterdomain.html" title="ALTER DOMAIN">Next</a></td></tr></table><hr /></div><div class="refentry" id="SQL-ALTERDEFAULTPRIVILEGES"><div class="titlepage"></div><a id="id-1.9.3.8.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle">ALTER DEFAULT PRIVILEGES</span></h2><p>ALTER DEFAULT PRIVILEGES — define default access privileges</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis">
3 ALTER DEFAULT PRIVILEGES
4 [ FOR { ROLE | USER } <em class="replaceable"><code>target_role</code></em> [, ...] ]
5 [ IN SCHEMA <em class="replaceable"><code>schema_name</code></em> [, ...] ]
6 <em class="replaceable"><code>abbreviated_grant_or_revoke</code></em>
8 <span class="phrase">where <em class="replaceable"><code>abbreviated_grant_or_revoke</code></em> is one of:</span>
10 GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
11 [, ...] | ALL [ PRIVILEGES ] }
13 TO { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
15 GRANT { { USAGE | SELECT | UPDATE }
16 [, ...] | ALL [ PRIVILEGES ] }
18 TO { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
20 GRANT { EXECUTE | ALL [ PRIVILEGES ] }
21 ON { FUNCTIONS | ROUTINES }
22 TO { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
24 GRANT { USAGE | ALL [ PRIVILEGES ] }
26 TO { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
28 GRANT { { USAGE | CREATE }
29 [, ...] | ALL [ PRIVILEGES ] }
31 TO { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
33 GRANT { { SELECT | UPDATE }
34 [, ...] | ALL [ PRIVILEGES ] }
36 TO { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
38 REVOKE [ GRANT OPTION FOR ]
39 { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
40 [, ...] | ALL [ PRIVILEGES ] }
42 FROM { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...]
43 [ CASCADE | RESTRICT ]
45 REVOKE [ GRANT OPTION FOR ]
46 { { USAGE | SELECT | UPDATE }
47 [, ...] | ALL [ PRIVILEGES ] }
49 FROM { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...]
50 [ CASCADE | RESTRICT ]
52 REVOKE [ GRANT OPTION FOR ]
53 { EXECUTE | ALL [ PRIVILEGES ] }
54 ON { FUNCTIONS | ROUTINES }
55 FROM { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...]
56 [ CASCADE | RESTRICT ]
58 REVOKE [ GRANT OPTION FOR ]
59 { USAGE | ALL [ PRIVILEGES ] }
61 FROM { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...]
62 [ CASCADE | RESTRICT ]
64 REVOKE [ GRANT OPTION FOR ]
66 [, ...] | ALL [ PRIVILEGES ] }
68 FROM { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...]
69 [ CASCADE | RESTRICT ]
71 REVOKE [ GRANT OPTION FOR ]
73 [, ...] | ALL [ PRIVILEGES ] }
75 FROM { [ GROUP ] <em class="replaceable"><code>role_name</code></em> | PUBLIC } [, ...]
76 [ CASCADE | RESTRICT ]
77 </pre></div><div class="refsect1" id="SQL-ALTERDEFAULTPRIVILEGES-DESCRIPTION"><h2>Description</h2><p>
78 <code class="command">ALTER DEFAULT PRIVILEGES</code> allows you to set the
79 privileges that will be applied to objects created in the future.
80 (It does not affect privileges assigned to already-existing objects.)
81 Privileges can be set globally (i.e., for all objects created in the
82 current database), or just for objects created in specified schemas.
84 While you can change your own default privileges and the defaults of
85 roles that you are a member of, at object creation time, new object
86 permissions are only affected by the default privileges of the current
87 role, and are not inherited from any roles in which the current role
90 As explained in <a class="xref" href="ddl-priv.html" title="5.8. Privileges">Section 5.8</a>,
91 the default privileges for any object type normally grant all grantable
92 permissions to the object owner, and may grant some privileges to
93 <code class="literal">PUBLIC</code> as well. However, this behavior can be changed by
94 altering the global default privileges with
95 <code class="command">ALTER DEFAULT PRIVILEGES</code>.
98 only the privileges for schemas, tables (including views and foreign
99 tables), sequences, functions, types (including domains), and large objects
100 can be altered. For this command, functions include aggregates and procedures.
101 The words <code class="literal">FUNCTIONS</code> and <code class="literal">ROUTINES</code> are
102 equivalent in this command. (<code class="literal">ROUTINES</code> is preferred
103 going forward as the standard term for functions and procedures taken
104 together. In earlier PostgreSQL releases, only the
105 word <code class="literal">FUNCTIONS</code> was allowed. It is not possible to set
106 default privileges for functions and procedures separately.)
108 Default privileges that are specified per-schema are added to whatever
109 the global default privileges are for the particular object type.
110 This means you cannot revoke privileges per-schema if they are granted
111 globally (either by default, or according to a previous <code class="command">ALTER
112 DEFAULT PRIVILEGES</code> command that did not specify a schema).
113 Per-schema <code class="literal">REVOKE</code> is only useful to reverse the
114 effects of a previous per-schema <code class="literal">GRANT</code>.
115 </p><div class="refsect2" id="id-1.9.3.8.5.7"><h3>Parameters</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term"><em class="replaceable"><code>target_role</code></em></span></dt><dd><p>
116 Change default privileges for objects created by the
117 <em class="replaceable"><code>target_role</code></em>, or the current
119 </p></dd><dt><span class="term"><em class="replaceable"><code>schema_name</code></em></span></dt><dd><p>
120 The name of an existing schema. If specified, the default privileges
121 are altered for objects later created in that schema.
122 If <code class="literal">IN SCHEMA</code> is omitted, the global default privileges
124 <code class="literal">IN SCHEMA</code> is not allowed when setting privileges
125 for schemas and large objects, since schemas can't be nested and
126 large objects don't belong to a schema.
127 </p></dd><dt><span class="term"><em class="replaceable"><code>role_name</code></em></span></dt><dd><p>
128 The name of an existing role to grant or revoke privileges for.
129 This parameter, and all the other parameters in
130 <em class="replaceable"><code>abbreviated_grant_or_revoke</code></em>,
131 act as described under
132 <a class="xref" href="sql-grant.html" title="GRANT"><span class="refentrytitle">GRANT</span></a> or
133 <a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a>,
134 except that one is setting permissions for a whole class of objects
135 rather than specific named objects.
136 </p></dd></dl></div></div></div><div class="refsect1" id="SQL-ALTERDEFAULTPRIVILEGES-NOTES"><h2>Notes</h2><p>
137 Use <a class="xref" href="app-psql.html" title="psql"><span class="refentrytitle"><span class="application">psql</span></span></a>'s <code class="command">\ddp</code> command
138 to obtain information about existing assignments of default privileges.
139 The meaning of the privilege display is the same as explained for
140 <code class="command">\dp</code> in <a class="xref" href="ddl-priv.html" title="5.8. Privileges">Section 5.8</a>.
142 If you wish to drop a role for which the default privileges have been
143 altered, it is necessary to reverse the changes in its default privileges
144 or use <code class="command">DROP OWNED BY</code> to get rid of the default privileges entry
146 </p></div><div class="refsect1" id="SQL-ALTERDEFAULTPRIVILEGES-EXAMPLES"><h2>Examples</h2><p>
147 Grant SELECT privilege to everyone for all tables (and views) you
148 subsequently create in schema <code class="literal">myschema</code>, and allow
149 role <code class="literal">webuser</code> to INSERT into them too:
151 </p><pre class="programlisting">
152 ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT SELECT ON TABLES TO PUBLIC;
153 ALTER DEFAULT PRIVILEGES IN SCHEMA myschema GRANT INSERT ON TABLES TO webuser;
156 Undo the above, so that subsequently-created tables won't have any
157 more permissions than normal:
159 </p><pre class="programlisting">
160 ALTER DEFAULT PRIVILEGES IN SCHEMA myschema REVOKE SELECT ON TABLES FROM PUBLIC;
161 ALTER DEFAULT PRIVILEGES IN SCHEMA myschema REVOKE INSERT ON TABLES FROM webuser;
164 Remove the public EXECUTE permission that is normally granted on functions,
165 for all functions subsequently created by role <code class="literal">admin</code>:
166 </p><pre class="programlisting">
167 ALTER DEFAULT PRIVILEGES FOR ROLE admin REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
169 Note however that you <span class="emphasis"><em>cannot</em></span> accomplish that effect
170 with a command limited to a single schema. This command has no effect,
171 unless it is undoing a matching <code class="literal">GRANT</code>:
172 </p><pre class="programlisting">
173 ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
175 That's because per-schema default privileges can only add privileges to
176 the global setting, not remove privileges granted by it.
177 </p></div><div class="refsect1" id="id-1.9.3.8.8"><h2>Compatibility</h2><p>
178 There is no <code class="command">ALTER DEFAULT PRIVILEGES</code> statement in the SQL
180 </p></div><div class="refsect1" id="id-1.9.3.8.9"><h2>See Also</h2><span class="simplelist"><a class="xref" href="sql-grant.html" title="GRANT"><span class="refentrytitle">GRANT</span></a>, <a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a></span></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sql-alterdatabase.html" title="ALTER DATABASE">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sql-alterdomain.html" title="ALTER DOMAIN">Next</a></td></tr><tr><td width="40%" align="left" valign="top">ALTER DATABASE </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> ALTER DOMAIN</td></tr></table></div></body></html>
begriffs.com / projects / ai-pg / blob