> As far as I am aware, there is no way to tell when a > user/role was granted permissions or had permissions > revoked, or who made these changes. I'm wondering if > it would be useful for security auditing to maintain a > history of permissions changes only accessible to > superusers?
I'd have thought you could keep track of this in the logs by setting log_statement >= ddl ?
I'm pretty sure this is a feature that's not wanted, but the ability to add triggers to these sorts of events would surely make more sense than a specific auditing capability.
I concede your suggestion of the ddl log output. I guess that could then be filtered to obtain the necessary information.