diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/ref/alter_role.sgml | 6 | ||||
| -rw-r--r-- | doc/src/sgml/ref/create_role.sgml | 11 |
2 files changed, 13 insertions, 4 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index ccdd5c107ca..0c90c74245e 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -69,8 +69,10 @@ ALTER ROLE { <replaceable class="PARAMETER">role_specification</replaceable> | A <xref linkend="SQL-REVOKE"> for that.) Attributes not mentioned in the command retain their previous settings. Database superusers can change any of these settings for any role. - Roles having <literal>CREATEROLE</> privilege can change any of these - settings, but only for non-superuser and non-replication roles. + Roles having <literal>CREATEROLE</literal> privilege can change any of these + settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, + and <literal>BYPASSRLS</literal>; but only for non-superuser and + non-replication roles. Ordinary roles can only change their own password. </para> diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index 36772b678a8..e048757d77b 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -176,6 +176,8 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac highly privileged role, and should only be used on roles actually used for replication. If not specified, <literal>NOREPLICATION</literal> is the default. + You must be a superuser to create a new role having the + <literal>REPLICATION</literal> attribute. </para> </listitem> </varlistentry> @@ -187,11 +189,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac <para> These clauses determine whether a role bypasses every row-level security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default. + You must be a superuser to create a new role having + the <literal>BYPASSRLS</literal> attribute. + </para> + + <para> Note that pg_dump will set <literal>row_security</literal> to <literal>OFF</literal> by default, to ensure all contents of a table are dumped out. If the user running pg_dump does not have appropriate - permissions, an error will be returned. The superuser and owner of the - table being dumped always bypass RLS. + permissions, an error will be returned. However, superusers and the + owner of the table being dumped always bypass RLS. </para> </listitem> </varlistentry> |