From 6d3f74d80190eb8da873b06aec24966f5921766e Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Fri, 25 Mar 2005 16:38:58 +0000
Subject: [PATCH] Update and copy-edit description of privileges.

---
 doc/src/sgml/user-manag.sgml | 47 +++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 22 deletions(-)

diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index f306b27ea0..5ffd878efd 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.28 2005/02/25 02:34:56 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.29 2005/03/25 16:38:58 tgl Exp $
 -->
 
 <chapter id="user-manag">
@@ -260,42 +260,37 @@ SELECT groname FROM pg_group;
 
   <para>
    When an object is created, it is assigned an owner. The
-   owner is the user that executed the creation statement. To change
-   the owner of a table, index, sequence, or view, use the
-   <command>ALTER TABLE</command> command. By default, only an owner
-   (or a superuser) can do anything with the object. In order to allow
+   owner is normally the user that executed the creation statement.
+   For most kinds of objects, the initial state is that only the owner
+   (or a superuser) can do anything with the object. To allow
    other users to use it, <firstterm>privileges</firstterm> must be
    granted.
-  </para>
-
-  <para>
-   There are several different privileges: <literal>SELECT</>,
+   There are several different kinds of privilege: <literal>SELECT</>,
    <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
    <literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
    <literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
-   <literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For more
+   and <literal>USAGE</>. For more
    information on the different types of privileges supported by
    <productname>PostgreSQL</productname>, see the
    <xref linkend="sql-grant" endterm="sql-grant-title"> reference page.
-   The right to modify or
-   destroy an object is always the privilege of the owner only. To
-   assign privileges, the <command>GRANT</command> command is
+  </para>
+
+  <para>
+   To assign privileges, the <command>GRANT</command> command is
    used. So, if <literal>joe</literal> is an existing user, and
    <literal>accounts</literal> is an existing table, the privilege to
    update the table can be granted with
-
 <programlisting>
 GRANT UPDATE ON accounts TO joe;
 </programlisting>
-   The user executing this command must be the owner of the table. To
-   grant a privilege to a group, use
+   To grant a privilege to a group, use
 <programlisting>
 GRANT SELECT ON accounts TO GROUP staff;
 </programlisting>
-   The special <quote>user</quote> name <literal>PUBLIC</literal> can
+   The special name <literal>PUBLIC</literal> can
    be used to grant a privilege to every user on the system. Writing
    <literal>ALL</literal> in place of a specific privilege specifies that all
-   privileges will be granted.
+   privileges that apply to the object will be granted.
   </para>
 
   <para>
@@ -304,13 +299,21 @@ GRANT SELECT ON accounts TO GROUP staff;
 <programlisting>
 REVOKE ALL ON accounts FROM PUBLIC;
 </programlisting>
-   The special privileges of the table owner (i.e., the right to do
-   <command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc)
-   are always implicit in being the owner,
-   and cannot be granted or revoked.  But the table owner can choose
+  </para>
+
+  <para>
+   The special privileges of an object's owner (i.e., the right to modify
+   or destroy the object) are always implicit in being the owner,
+   and cannot be granted or revoked.  But the owner can choose
    to revoke his own ordinary privileges, for example to make a
    table read-only for himself as well as others.
   </para>
+
+  <para>
+   An object can be assigned to a new owner with an <command>ALTER</command>
+   command of the appropriate kind for the object.  Only superusers can do
+   this.
+  </para>
  </sect1>
 
  <sect1 id="perm-functions">