RE: How to revoke privileged from PostgreSQL's superuser

Hello

From: bejita0409(at)yahoo(dot)co(dot)jp [mailto:bejita0409(at)yahoo(dot)co(dot)jp]
Sent: Montag, 6. August 2018 11:49
To: pgsql-admin(at)lists(dot)postgresql(dot)org; pgsql-general(at)lists(dot)postgresql(dot)org
Subject: How to revoke privileged from PostgreSQL's superuser

Hello,

I am a newbie DBA.

I have a request for revoking the access to user's data from DBA-user.

I think the request is right because users should be the only ones can access their data.

But DBA-user also need full access to the other data? It means that DBA-user also needs to be a superuser.

So I conclude the request that how to revoke privileged from superuser in postgres.

As my knowledge, the superuser in PostgreSQL bypasses all the permission check.

So that, there is no way to do it in PostgreSQL, is that right?

Yes, superuser have access to everything. The main question is why should a superuser be restricted in her access to an object?

I think that this is more a question of designing your user and groups in a clean way.

In theory you could restrict access using a before trigger, but this is not a good idea and is quite expensive.

You could also use a policy for the superuser with the clause using(false), but this also is not really a good idea and may become
very confusing.

In either way, this would not be a good solution.

Maybe, if you clarify better what is your purpose, there might be more useful answers and approaches.

Regards

Charles

Is there some DBAs are faced with this before?

Thanks,

--

bejita