Allow DB owner to set session var defaults in DB

rmloveland · rmloveland · commit 976d5c9104dc · 2025-10-29T14:13:39.000-04:00
Fixes DOC-14457
diff --git a/src/current/v25.4/alter-database.md b/src/current/v25.4/alter-database.md
@@ -355,7 +355,9 @@ For usage, see [Synopsis](#synopsis).
 
 #### Required privileges
 
-No [privileges]({% link {{ page.version.version }}/security-reference/authorization.md %}#managing-privileges) are required to reset a session setting.
+To reset default session variable values for a database with `ALTER DATABASE ... RESET {session variable}`, the user must be a member of the [`admin` role]({% link {{ page.version.version }}/security-reference/authorization.md %}#admin-role) or the [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of the target database.
+
+All other session variables do not require [privileges]({% link {{ page.version.version }}/security-reference/authorization.md %}#managing-privileges) to modify.
 
 #### Parameters
 
@@ -379,7 +381,9 @@ In CockroachDB, the following are aliases for `ALTER DATABASE ... RESET {session
 
 #### Required privileges
 
-To set the `role` session variable, the current user must be a member of the `admin` role, or a member of the target role.
+To set default session variable values for a database with `ALTER DATABASE ... SET {session variable}`, the user must be a member of the [`admin` role]({% link {{ page.version.version }}/security-reference/authorization.md %}#admin-role) or the [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of the target database.
+
+Additionally, to set the `role` session variable, the current user must be a member of the `admin` role or a member of the target role.
 
 All other session variables do not require [privileges]({% link {{ page.version.version }}/security-reference/authorization.md %}#managing-privileges) to modify.
 
diff --git a/src/current/v25.4/alter-role.md b/src/current/v25.4/alter-role.md
@@ -23,6 +23,7 @@ Password creation and alteration is supported only in secure clusters.
 
 - To alter an [`admin` role]({% link {{ page.version.version }}/security-reference/authorization.md %}#admin-role), the user must be a member of the `admin` role.
 - To alter other roles, the user must be a member of the `admin` role or have the [`CREATEROLE`]({% link {{ page.version.version }}/create-role.md %}#create-a-role-that-can-create-other-roles-and-manage-authentication-methods-for-the-new-roles) [role option](#role-options).
+- {% include_cached new-in.html version="v25.4" %} For [per-database defaults](#set-default-session-variable-values-for-a-specific-database), the [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of a database can execute `ALTER ROLE ALL IN DATABASE ... {SET|RESET}` for that database (in addition to users who meet the general requirements above).
 
 ## Synopsis
 
@@ -228,6 +229,8 @@ SHOW statement_timeout;
 
 In the following example, the `root` user creates a database named `movr`, and sets the default value of the `timezone` [session variable]({% link {{ page.version.version }}/set-vars.md %}#supported-variables) for all roles in that database.
 
+{% include_cached new-in.html version="v25.4" %} The [owner]({% link {{ page.version.version }}/security-reference/authorization.md %}#object-ownership) of a database can also execute `ALTER ROLE ALL IN DATABASE ... {SET|RESET}` for that database.
+
 ~~~ sql
 CREATE DATABASE IF NOT EXISTS movr;
 ~~~
