I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC.
From my reading, there is no straightforward way to do this. For example,
ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
Does not apply this across the entire cluster (or database) but only applies to the role who issued it (and objects yet to be created by that role) .
So I am arriving at the conclusion that I need to alter the default privileges for every existing role (which I expected), and ensure that default privileges are altered for every new role that is created going forward.
Have I analyzed this correctly?
Only those roles that have create privilege on one or more schemas. That should be a reasonably finite and static set.
David J.
