On 10/30/2017 03:35 PM, John R Pierce wrote:
> On 10/30/2017 10:55 AM, rakeshkumar464 wrote:
>> Is there a way in pgaudit to mask literal sqls like the below:
>>
>> insert into table (col1,col2) values(1,2)
>> select * from table where col1 = 1
>>
>> These sqls are typed by our QA folks using pgadmin. pgaudit records this
>> verbatim which runs afoul of our HIPAA requirement. Prepared
>> statements are
>> not an issue since pgaudit provides a way to suppress values.
>
> if you have a HIPAA requirement that says 'dont run manual sql
> statements', then, well, DONT.
>
> why are QA folks making changes on production databases, anyways?
> thats not within their domain. QA should be working on development
> or staging databases.
>
>
>
I suspect the QA types are testing against production and using/seeing
real names, etc with queries which create /transitory/ tables. I wonder
if the QA folks have been HIPAA certified? Probable better to get them
redacted data for testing.