Version 14/15 documentation Section "Alter Default Privileges"

To Whom It May Concern;

Some additional clarity in the versions 14/15 documentation would be helpful specifically surrounding the "target_role" clause for the ALTER DEFAULT PRIVILEGES command. To the uninitiated, the current description seems vague. Maybe something like the following would help:

target_role
The name of an existing role of which the current role is a member. Default privileges are only applied to objects created by the targeted role/user (FOR ROLE target_role). If the FOR ROLE clause is omitted, the targeted user defaults to the current user executing the ALTER DEFAULT PRIVILEGES command. The result can be seen using the following query:

select table_catalog as database
,table_schema
,table_name
,privilege_type
,grantee
,'revoke '||privilege_type||' on '||table_schema||'.'||table_name||' from '||grantee||';' as revoke_stmt
from information_schema.table_privileges
where table_schema = 'my_schema'
and table_name = 'my_table'
order by 1,2,3,5,4;

Also, additional explanation about the differences between global defaults versus schema-level defaults, and how to identify them, would be helpful.

Additional explanation about exactly what is happening would help to put this command into perspective. On successful execution with the correct parameter values, and using both the FOR ROLE and IN SCHEMA clauses, I also received privilege grants directed to the user executing the ALTER DEFAULT PRIVILEGES command. This was in addition to the expected privileges specified in the command. I'm not sure why this occurred or how to eliminate it, in the interest of establishing "least privilege" permissions.

Thank you.

David E. Burns, Jr. | Domain Architect | FedEx Services IT | Dock and Edge Services | Mobile 412.304.8303
1000 FedEx Drive, Moon Township, PA 15108 | david(dot)burns(at)fedex(dot)com<mailto:david(dot)burns(at)fedex(dot)com>