diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 70e9d581c83..13e19042f50 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
@@ -157,11 +157,10 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
CREATE
- For databases, allows new schemas to be created in the database.
+ For databases, allows new schemas to be created within the database.
- For schemas, allows new objects to be created within the specified
- schema.
+ For schemas, allows new objects to be created within the schema.
@@ -196,9 +195,9 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
of privilege that is applicable to procedural languages.
- For schemas, allows the use of objects contained in the specified
+ For schemas, allows access to objects contained in the specified
schema (assuming that the objects' own privilege requirements are
- met). Essentially this allows the grantee to look up
+ also met). Essentially this allows the grantee to look up
objects within the schema.
@@ -226,6 +225,11 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
Notes
+
+ The command is used
+ to revoke access privileges.
+
+
It should be noted that database superusers can access
all objects regardless of object privilege settings. This
@@ -243,19 +247,19 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
Use 's \z command
- to obtain information about privileges
- on existing objects:
+ to obtain information about existing privileges, for example:
- Database = lusitania
- +------------------+---------------------------------------------+
- | Relation | Grant/Revoke Permissions |
- +------------------+---------------------------------------------+
- | mytable | {"=rw","miriam=arwdRxt","group todos=rw"} |
- +------------------+---------------------------------------------+
- Legend:
- uname=arwR -- privileges granted to a user
- group gname=arwR -- privileges granted to a group
- =arwR -- privileges granted to PUBLIC
+lusitania=> \z mytable
+ Access privileges for database "lusitania"
+ Table | Access privileges
+---------+---------------------------------------
+ mytable | {=r,miriam=arwdRxt,"group todos=arw"}
+
+ The entries shown by \z are interpreted thus:
+
+ =xxxx -- privileges granted to PUBLIC
+ uname=xxxx -- privileges granted to a user
+ group gname=xxxx -- privileges granted to a group
r -- SELECT ("read")
w -- UPDATE ("write")
@@ -269,12 +273,25 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
C -- CREATE
T -- TEMPORARY
arwdRxt -- ALL PRIVILEGES (for tables)
+
+
+ The above example display would be seen by user miriam after
+ creating table mytable and doing
+
+
+GRANT SELECT ON mytable TO PUBLIC;
+GRANT SELECT,UPDATE,INSERT ON mytable TO GROUP todos;
- The command is used to revoke access
- privileges.
+ If the Access privileges column is empty for a given object,
+it means the object has default privileges (that is, its privileges field
+is NULL). Currently, default privileges are interpreted the same way
+for all object types: all privileges for the owner and no privileges for
+anyone else. The first GRANT on an object will instantiate
+this default (producing, for example, {=,miriam=arwdRxt})
+and then modify it per the specified request.