grants-of-roles-are-additive_v2.patch
text/x-patch
Filename: grants-of-roles-are-additive_v2.patch
Type: text/x-patch
Part: 1
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: unified
Series: patch v2
| File | + | − |
|---|---|---|
| doc/src/sgml/ref/grant.sgml | 16 | 0 |
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 73f88e0..0e878ba 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -453,6 +453,22 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
</para>
<para>
+ Further, roles having the <literal>INHERIT</literal> attribute
+ that are assigned to other roles in a hierarchical fashion are
+ additive of permission in the fashion of the
+ <database>database</><literal>.</><database>schema</><literal>.</><database>table</><literal>.</><database>column</>
+ hierarchy. E.g. a user's login role can be assigned a role of
+ <literal>accountant</> which is in turn assigned a role of
+ <literal>employee</>. The user would have the permissions of an
+ <literal>accountant</> and, by virtue of the role hierarchy, also
+ all permissions granted to <literal>employee</>s. Unlike the
+ fixed
+ <database>database</><literal>.</><database>schema</><literal>.</><database>table</><literal>.</><database>column</>
+ hierarchy the <productname>PostgreSQL</> user is free to fashion
+ roles into arbitrary hierarchical structures.
+ </para>
+
+ <para>
When a non-owner of an object attempts to <command>GRANT</> privileges
on the object, the command will fail outright if the user has no
privileges whatsoever on the object. As long as some privilege is