Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vLHqb-00B9xc-1B
	for pgsql-general@arkaria.postgresql.org;
	Tue, 18 Nov 2025 09:18:01 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vLHqZ-005Btd-0h
	for pgsql-general@arkaria.postgresql.org;
	Tue, 18 Nov 2025 09:17:59 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <colinthart@gmail.com>)
	id 1vLHqY-005BtV-2h
	for pgsql-general@lists.postgresql.org;
	Tue, 18 Nov 2025 09:17:59 +0000
Received: from mail-pf1-x42a.google.com ([2607:f8b0:4864:20::42a])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <colinthart@gmail.com>)
	id 1vLHqW-0008iZ-1g
	for pgsql-general@lists.postgresql.org;
	Tue, 18 Nov 2025 09:17:58 +0000
Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-7b8bbf16b71so5840462b3a.2
        for <pgsql-general@lists.postgresql.org>; Tue, 18 Nov 2025 01:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763457476; x=1764062276; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=bgadwumagAgO+eEdhPWrUf4QN/ZMnmk9AXVFl4YU5WM=;
        b=HZLzWpGtlCC8wHA/VwFXhmOJrO1EsoqpHZDODYQRg2TiK5SEGBf6FurnGvPDE3o/VO
         B8b+9yyacPh/q2+p9FoY4bJV5WfJnhOMAxm/gaPycZHngUqz0VFedoN9QYTdqv4UqSr0
         MBtkujm2BMjlpH7IjPR+roCyeUXZXd9rJLz76Se6GxbwInRQ2N/91Lkse66XlDurDFHd
         rlwUfbHH47pYlOXsjoO1CkcY7MSXqd0j9rjkArNJHrwkUhesWFvnul3wiWRUMG3Ht61M
         /9/K4UfyFae26YshQXqmFKjglj5E2yw5w4jBP1xxcbcqVJ8nXGBqQxyrf0lCq6gzKyp2
         X0zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763457476; x=1764062276;
        h=to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bgadwumagAgO+eEdhPWrUf4QN/ZMnmk9AXVFl4YU5WM=;
        b=bEFY8LtoGzJy2iAIKipwQXy5Zdg2qkuWGH2ka3qsEf5lo/lWrUO/REejEb8UZP0kj1
         oXqW1b9ZbVyz09KUBOA0jCBYJMIqTPtT/biMOOCFk86AGslVtCQ3dzCQtMXqymTaBaWO
         Ll2i8EsMyegYQyGj2gORsEGu7CufXnsaD7NRRXoj5jY7ECm0fRXPomfofg99mPrhxe1b
         O4jon7OereGCaeNxiUlRBZTTJiWuG4g63SpacKuZf51/UtV8YxA6zpwsm5uD/KA4e7jk
         VsZ++ImSDoFOqu2nt95ecmPFAJVxZa3SpEeGjUhOGqZHZK+19AMP8okXhmGlMvFX6lc9
         v9/w==
X-Gm-Message-State: AOJu0YxpwJkGtc4hzdhZ/cy2MMtKI3rTfyokKRtdqDEhQaiS2kynqBGm
	V74ULOqc7B2EFjofLp0uc3B3ltOglp91IFV1ES8q1CLdh4yFNkTB2P0NBL3QDW38/ejCcOfuhVT
	qKGdC4DaPb4BW56AA9BK0NzgvsdFRZyYL1ZifCC42ew==
X-Gm-Gg: ASbGncseRR+rwcKbDsX8XlJ/Al+xreHSV78Wi0n+1AVvkbmDKrgpKBzTZTC47qlTC//
	G7YRbeKy3Eb4MWnuJ7V1Ot+R9zx6Z51cH0C7JXW2jOfEHInO58KhBVYMut4hFvhJgaxaM6TQF4F
	Ll3qkKKIB3ypWJAbE3giP9U1naiqwyF+j8yxnxUit2Udo/rCHCD0UVF7b9+8JV+9vam4S8Azmyx
	Ea92zcG5KBt49rpVW7MhUUwDU0NPDMe9yteA7UdhNUheoqbPrChRwUDFW2CAHbM25wHyryTtC4V
	fQeVpyz28LbN+4W+uYJr3NwTN7qxg52twqXROvbv61R19ibbnLYjwxwDRlCq60jmvY+1sY806ij
	/y27y/IQIiG5agAbLZ2bFEU1LL4KntxnIZSOx9BEkD69DbfsPzcu/jnu2yQ==
X-Google-Smtp-Source: AGHT+IHlnbBfohcP4saQdwkCSFXHf/kfnXOiLoW6ITscrnCmXYvmTVrjl7lXh8TvqBCBfXKWJQ+uCpOscxNen646Fwk=
X-Received: by 2002:a05:7022:639d:b0:119:e569:fbb4 with SMTP id
 a92af1059eb24-11b4120dbafmr6562901c88.35.1763457475868; Tue, 18 Nov 2025
 01:17:55 -0800 (PST)
MIME-Version: 1.0
From: "Colin 't Hart" <colinthart@gmail.com>
Date: Tue, 18 Nov 2025 10:17:44 +0100
X-Gm-Features: AWmQ_bnC-Kk1o4DOcKg1XhrCKJ28uZh7gPx8IhTlmBYTTC08G_ydHf7uESUGAfc
Message-ID: <CAMon-aRf-XS+wVEnVvP58GtojYENywx+s9pUjwz5omADdLP1NA@mail.gmail.com>
Subject: Using pgAudit to audit interesting tables for all users except for
 batch user?
To: PostgreSQL General <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000006cfb540643daf04f"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAMon-aRf-XS%2BwVEnVvP58GtojYENywx%2Bs9pUjwz5omADdLP1NA%40mail.gmail.com>
Precedence: bulk

--0000000000006cfb540643daf04f
Content-Type: text/plain; charset="UTF-8"

Hi,

One of my clients has some tables that contain sensitive data. These are
modified regularly by batch jobs, and then the data is transformed and
summary information appended to other tables (fairly typical datawarehouse).

For these sensitive tables they would like to add auditing of all activity
-- but not for the batch user as that would just blow up the logs, and we
should be able to adequately prevent access to the batch user.


Is there any way we can achieve this?

I tried using a role, registering that with

alter system set pgaudit.role = <auditrole>;

and doing

grant select,insert,update,delete
on <sensetivetable>
to <auditrole>;


After that all operations on that table ended up audited in the log, as
expected.


Then I did

alter user <batchuser> set pgaudit.log to 'none';

but after that operations when logged in as <batchuser> still ended up
being audited.


What am I missing?


Is what I'm trying even possible? Or is there another way to achieve our
requirements?


This issue https://github.com/issues/recent?issue=pgaudit%7Cpgaudit%7C73
seems to indicate that it's possible, but I'm struggling to understand how.

Thanks,

Colin

--0000000000006cfb540643daf04f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><div><br></div><div>One of my clients has so=
me tables that contain sensitive data. These are
 modified regularly by batch jobs, and then the data is transformed and=20
summary information appended to other tables (fairly typical=20
datawarehouse).<br><br>For these sensitive tables they would like to add
 auditing of all activity -- but not for the batch user as that would=20
just blow up the logs, and we should be able to adequately prevent=20
access to the batch user.<br><br><br>Is there any way we can achieve this?<=
/div><div><br>I tried using a role, registering that with<br><br>alter syst=
em set pgaudit.role =3D &lt;auditrole&gt;;<br><br>and doing<br><br>grant se=
lect,insert,update,delete<br>on &lt;sensetivetable&gt;<br>to &lt;auditrole&=
gt;;<br><br><br>After that all operations on that table ended up audited in=
 the log, as expected.<br><br><br>Then I did<br><br>alter user &lt;batchuse=
r&gt; set pgaudit.log to &#39;none&#39;;<br><br>but after that operations w=
hen logged in as &lt;batchuser&gt; still ended up being audited.<br><br><br=
>What am I missing?<br><br><br>Is what I&#39;m trying even possible? Or is =
there another way to achieve our requirements?<br><br><br>This issue <a hre=
f=3D"https://github.com/issues/recent?issue=3Dpgaudit%7Cpgaudit%7C73" targe=
t=3D"_blank">https://github.com/issues/recent?issue=3Dpgaudit%7Cpgaudit%7C7=
3</a> seems to indicate that it&#39;s possible, but I&#39;m struggling to u=
nderstand how.</div><div><br></div><div>Thanks,</div><div><br></div><div>Co=
lin</div></div>

--0000000000006cfb540643daf04f--