11<!--
2- $PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.28 2005/02 /2502:34:56 momjian Exp $
2+ $PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.29 2005/03 /2516:38:58 tgl Exp $
33-->
44
55<chapter id="user-manag">
@@ -260,42 +260,37 @@ SELECT groname FROM pg_group;
260260
261261 <para>
262262 When an object is created, it is assigned an owner. The
263- owner is the user that executed the creation statement. To change
264- the owner of a table, index, sequence, or view, use the
265- <command>ALTER TABLE</command> command. By default, only an owner
266- (or a superuser) can do anything with the object. In order to allow
263+ owner is normally the user that executed the creation statement.
264+ For most kinds of objects, the initial state is that only the owner
265+ (or a superuser) can do anything with the object. To allow
267266 other users to use it, <firstterm>privileges</firstterm> must be
268267 granted.
269- </para>
270-
271- <para>
272- There are several different privileges: <literal>SELECT</>,
268+ There are several different kinds of privilege: <literal>SELECT</>,
273269 <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
274270 <literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
275271 <literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
276- <literal>USAGE</>, and <literal>ALL PRIVILEGES </>. For more
272+ and <literal>USAGE </>. For more
277273 information on the different types of privileges supported by
278274 <productname>PostgreSQL</productname>, see the
279275 <xref linkend="sql-grant" endterm="sql-grant-title"> reference page.
280- The right to modify or
281- destroy an object is always the privilege of the owner only. To
282- assign privileges, the <command>GRANT</command> command is
276+ </para>
277+
278+ <para>
279+ To assign privileges, the <command>GRANT</command> command is
283280 used. So, if <literal>joe</literal> is an existing user, and
284281 <literal>accounts</literal> is an existing table, the privilege to
285282 update the table can be granted with
286-
287283<programlisting>
288284GRANT UPDATE ON accounts TO joe;
289285</programlisting>
290- The user executing this command must be the owner of the table. To
291- grant a privilege to a group, use
286+ To grant a privilege to a group, use
292287<programlisting>
293288GRANT SELECT ON accounts TO GROUP staff;
294289</programlisting>
295- The special<quote>user</quote> name <literal>PUBLIC</literal> can
290+ The special name <literal>PUBLIC</literal> can
296291 be used to grant a privilege to every user on the system. Writing
297292 <literal>ALL</literal> in place of a specific privilege specifies that all
298- privileges will be granted.
293+ privilegesthat apply to the object will be granted.
299294 </para>
300295
301296 <para>
@@ -304,13 +299,21 @@ GRANT SELECT ON accounts TO GROUP staff;
304299<programlisting>
305300REVOKE ALL ON accounts FROM PUBLIC;
306301</programlisting>
307- The special privileges of the table owner (i.e., the right to do
308- <command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc)
309- are always implicit in being the owner,
310- and cannot be granted or revoked. But the table owner can choose
302+ </para>
303+
304+ <para>
305+ The special privileges of an object's owner (i.e., the right to modify
306+ or destroy the object) are always implicit in being the owner,
307+ and cannot be granted or revoked. But the owner can choose
311308 to revoke his own ordinary privileges, for example to make a
312309 table read-only for himself as well as others.
313310 </para>
311+
312+ <para>
313+ An object can be assigned to a new owner with an <command>ALTER</command>
314+ command of the appropriate kind for the object. Only superusers can do
315+ this.
316+ </para>
314317 </sect1>
315318
316319 <sect1 id="perm-functions">