Re: How to revoke privileged from PostgreSQL's superuser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The short answer I will provide from my experience is that you can't do it. Your DBA will have access to just about anything across all tables and databases. 

The longer answer are ones that others have pointed out. If a DBA should be restricted from tables, they probably shouldn't be your DBA. Your DBA will likely be the one responsible, for example, for backing up all of the databases on a server. That requires read access and understanding concepts about secure backups of sensitive data. It is also possible that they are running backups as their own user rather than postgres. If you don't want DBAs to access your data you really do not want that data to not have backups. 

I also would take Bruce's comment with a massive grain of salt. Everything that everyone does on a database is logged somewhere assuming proper logging. Now do you have the person-power to go through gigs of plain text logs to find out if someone is doing something shady... that is a question for your management team. Also, if you suspect someone of doing something shady, you should probably revoke their admin rights. 

~Ben


On Fri, Aug 10, 2018 at 3:41 PM, Bruce Momjian <bruce@xxxxxxxxxx> wrote:
On Mon, Aug  6, 2018 at 06:19:55AM -0700, David G. Johnston wrote:
> On Monday, August 6, 2018, <bejita0409@xxxxxxxxxxx> wrote:
>
>
>     I have a request for revoking the access to user's data from DBA-user.
>     I think the request is right because users should be the only ones can
>     access their data.
>
>
> User then needs to encrypt data prior to storing it.  Superuser can still
> access the data but would be challenged to make sense of it,

Keep in mind DBAs can often remove data with little detection, unless
you are using some kind of block chain, which itself can force
serialized data access, slowing things down.

--
  Bruce Momjian  <bruce@xxxxxxxxxx>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux