From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Benedict Holland <benedict(dot)m(dot)holland(at)gmail(dot)com> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, "bejita0409(at)yahoo(dot)co(dot)jp" <bejita0409(at)yahoo(dot)co(dot)jp>, "pgsql-admin(at)lists(dot)postgresql(dot)org" <pgsql-admin(at)lists(dot)postgresql(dot)org>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: How to revoke privileged from PostgreSQL's superuser |
Date: | 2018-08-14 19:59:19 |
Message-ID: | 20180814195919.GA29140@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin pgsql-general |
On Fri, Aug 10, 2018 at 04:06:40PM -0400, Benedict Holland wrote:
> I also would take Bruce's comment with a massive grain of salt. Everything that
> everyone does on a database is logged somewhere assuming proper logging. Now do
> you have the person-power to go through gigs of plain text logs to find out if
> someone is doing something shady... that is a question for your management
> team. Also, if you suspect someone of doing something shady, you should
> probably revoke their admin rights.
Agreed, the best way to limit the risk of undetected DBA removal of data
is secure auditing --- I should have mentioned that.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2018-08-14 20:24:03 | Re: pg_upgrade failing with error pg_resetxlog no such file |
Previous Message | Bruce Momjian | 2018-08-14 19:51:09 | Re: How to revoke privileged from PostgreSQL's superuser |
From | Date | Subject | |
---|---|---|---|
Next Message | Michal | 2018-08-14 23:40:17 | Re: Immutable function WAY slower than Stable function? |
Previous Message | Jack Cushman | 2018-08-14 19:52:37 | Re: Duplicating data folder without tablespace, for read access |