On Tue, Dec 16, 2014 at 1:28 PM, Stephen Frost <sfr...@snowman.net> wrote: > The magic "audit" role has SELECT rights on a given table. When any > user does a SELECT against that table, ExecCheckRTPerms is called and > there's a hook there which the module can use to say "ok, does the audit > role have any permissions here?" and, if the result is yes, then the > command is audited. Note that this role, from core PG's perspective, > wouldn't be special at all; it would just be that pgaudit would use the > role's permissions as a way to figure out if a given command should be > audited or not.
This is a little weird because you're effectively granting an anti-permission. I'm not sure whether that ought to be regarded as a serious problem, but it's a little surprising. Also, what makes the "audit" role magical? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers