Skip to main content
The ALTER DEFAULT PRIVILEGES changes the on objects created by in the current database.
The creator of an object is also the object’s . Any roles that are members of the owner role have ALL privileges on the object. Altering the default privileges of objects created by a role does not affect that role’s privileges as the object’s owner. The default privileges granted to other users/roles are always in addition to the ownership (i.e., ALL) privileges given to the creator of the object.
If you grant a default privilege to a user/role for all objects created by a specific user/role, neither of the users/roles can be dropped until the default privilege is revoked.For an example, see Grant default privileges to a specific role.

Synopsis

alter_default_privileges syntax diagram

Parameters

ParameterDescription
FOR ROLE name/FOR USER nameAlter the default privileges on objects created by a specific role/user, or a list of roles/users.
FOR ALL ROLESAlter the default privileges on objects created by all users/roles.
GRANT ...Grant a default privilege or list of privileges on all objects of the specified type to a role/user, or a list of roles/users.
REVOKE ...Revoke a default privilege or list of privileges on all objects of the specified type from a role/user, or a list of roles/users.
IN SCHEMA qualifiable\_schema\_nameIf specified, the default privileges are altered for objects created in that schema. If an object has default privileges specified at the database and at the schema level, the union of the default privileges is taken.
If you do not specify a FOR... clause, CockroachDB alters the default privileges on objects created by the current user.

Required privileges

  • To run ALTER DEFAULT PRIVILEGES FOR ALL ROLES, the user must be a member of the role.
  • To alter the default privileges on objects created by a specific role, the user must be a member of that role.

Examples

Grant default privileges to a specific role

Run the following statements as a member of the admin role, with ALL privileges:
In the same database, run the following statements as the cockroachlabs user:
Because cockroachlabs is the current user, the previous statement is equivalent to ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO max;.
In the same database, run the following statements as the max user:
Because max has default SELECT privileges on all tables created by cockroachlabs, neither user/role can be dropped until all privileges are revoked. To see this, run the following statements as a member of the admin role, with ALL privileges:

Revoke default privileges from a specific role

Run the following statements as the cockroachlabs user:
In the same database, run the following statements as the max user:
max still has SELECT privileges on albums because when cockroachlabs created albums, max was granted default SELECT privileges on all tables created by cockroachlabs.
cockroachlabs created the tracks table after revoking default SELECT privileges from max. As a result, max never had SELECT privileges on tracks. Because max has no default privileges, the user can now be dropped:

Grant default privileges for all roles

Run the following statements as a member of the admin role, with ALL privileges:
In the same database, run the following statements as any two different users:
requires the CREATE privilege on the database.

See also