I am using the psql tool:
Command:
my_db=# \ddp
Result:
Default access privileges
Owner | Schema | Type | Access privileges
----------------+--------+----------+--------------------------------------
postgres | kpi | function | kpi_updater=X/postgres +
| | | intranet2=X/postgres
postgres | kpi | sequence | kpi_updater=rwU/postgres +
| | | intranet2=rwU/postgres
postgres | kpi | table | kpi_updater=arwdDxt/postgres +
| | | intranet2=arwdDxt/postgres
postgres | kpi | type | kpi_updater=U/postgres +
| | | intranet2=U/postgres
Next I use the following command, that returns without error:
ALTER DEFAULT PRIVILEGES IN SCHEMA kpi REVOKE EXECUTE ON FUNCTIONS FROM intranet2;
I run \ddp one more time and… I get exactly the same result: default privileges were not modified.
What am I missing here ?
Thanks !
Best Answer
Edited to answer the question related to the
\ddp
command not the\dp
command as @personne3000 pointed out in the comment below.You probably want to use
ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA kpi REVOKE EXECUTE ON FUNCTIONS FROM intranet2;
This is because
postgres
is the user that was granted the default privilege of execute on the functions in the schemakpi
and is granting it tointranet2
, as noted by the permissions ofintranet2=X/postgres
I created a small example to illustrate what's going on.
User pgsql has the execute privilege, X, granted by bob.
Try to revoke the execute privilege for the role pgsql, as pgsql (a superuser).
Didn't work because the command is not removing the bob role's default ability to grant execute on functions to role pgsql, it is removing the pgsql role's ability to revoke execute on functions from pgsql.
If we change it to remove the privilege of execute from the bob role for the role pgsql, then it works.