User Permission Audit

PostgresSecurity

Conduct comprehensive security audit identifying users with insufficient or dangling permissions in business database environment.

Created by Fanshi Zhang

2025-08-17

Security And Access ControlAudit And Compliance

Model Ranking

Click on the dots to view the trajectory of each task run

Model	Run Results	Pass@4	Pass^4	Avg Time	Avg Turns	Input Tokens	Output Tokens	Total Tokens
Model	Run Results	Pass@4	Pass^4	Avg Time	Avg Turns	Input Tokens	Output Tokens	Total Tokens
claude-sonnet-4	4 /4			124.2s	20.8	243,402	5,886	249,287
gpt-5-high	3 /4			1020.8s	10.8	125,205	39,327	164,531
kimi-k2-0711	2 /4			198.1s	22.5	207,481	5,041	212,522
claude-opus-4-1	1 /1	-	-	403.8s	18.0	174,179	6,917	181,096
gpt-5-medium	1 /4			453.6s	12.0	158,363	22,627	180,990
gpt-5-mini-low	1 /4			49.3s	5.8	40,814	4,110	44,924
grok-4	1 /4			170.9s	10.3	124,016	8,881	132,897
o4-mini	1 /4			66.6s	5.8	24,540	4,499	29,039
qwen-3-max	1 /4			118.3s	12.8	102,070	4,487	106,557
claude-sonnet-4-high	0 /4			106.4s	14.0	152,570	5,546	158,116
claude-sonnet-4-low	0 /4			112.1s	16.0	195,095	5,764	200,859
deepseek-chat	0 /4			210.0s	13.3	134,753	3,104	137,857
gemini-2-5-flash	0 /4			65.5s	5.5	25,973	3,978	29,951
gemini-2-5-pro	0 /4			56.8s	4.0	12,770	5,089	17,860
glm-4-5	0 /4			170.3s	18.8	212,858	4,736	217,593
gpt-4-1	0 /4			24.4s	6.8	152,789	1,105	153,894
gpt-4-1-mini	0 /4			75.8s	5.8	47,361	2,764	50,125
gpt-4-1-nano	0 /4			53.1s	18.5	399,057	1,708	400,765
gpt-5-low	0 /4			274.1s	8.3	63,498	18,847	82,345
gpt-5-mini-high	0 /4			150.7s	6.0	41,255	19,340	60,595
gpt-5-mini-medium	0 /4			70.4s	8.0	53,145	7,598	60,743
gpt-5-nano-high	0 /4			263.0s	13.8	163,899	54,665	218,564
gpt-5-nano-low	0 /4			27.7s	2.3	11,355	4,069	15,425
gpt-5-nano-medium	0 /4			116.0s	4.3	57,589	23,775	81,364
gpt-oss-120b	0 /4			39.7s	2.0	4,198	896	5,095
grok-code-fast-1	0 /4			39.3s	10.5	86,595	5,528	92,123
kimi-k2-0905	0 /4			472.4s	31.8	345,137	4,553	349,690
o3	0 /4			90.3s	9.3	39,304	5,789	45,093
qwen-3-coder-plus	0 /4			119.8s	25.5	482,828	4,494	487,321

Task State

Table "user_profiles" { "user_id" int4 [pk, not null, increment] "username" varchar(50) [unique, not null] "email" varchar(100) [unique, not null] "first_name" varchar(50) [not null] "last_name" varchar(50) [not null] "phone" varchar(20) "address" text "city" varchar(50) "state" varchar(2) "zip_code" varchar(10) "date_created" timestamp [default: `CURRENT_TIMESTAMP`] "last_updated" timestamp [default: `CURRENT_TIMESTAMP`] "is_active" bool [default: true] "profile_picture_url" text "bio" text } Table "user_credentials" { "credential_id" int4 [pk, not null, increment] "user_id" int4 "password_hash" varchar(255) [not null] "salt" varchar(100) [not null] "login_attempts" int4 [default: 0] "last_login" timestamp "password_created" timestamp [default: `CURRENT_TIMESTAMP`] "password_expires" timestamp "is_locked" bool [default: false] "two_factor_enabled" bool [default: false] "two_factor_secret" varchar(32) "backup_codes" "text[]" "security_questions" jsonb } Table "user_stat_analysis" { "analysis_id" int4 [pk, not null, increment] "user_id" int4 "session_id" varchar(100) "page_views" int4 [default: 0] "time_spent_minutes" int4 [default: 0] "actions_performed" jsonb "device_info" jsonb "ip_address" inet "location_data" jsonb "referrer_url" text "conversion_events" jsonb "analysis_date" date [default: `CURRENT_DATE`] "created_at" timestamp [default: `CURRENT_TIMESTAMP`] } Table "product_catalog" { "product_id" int4 [pk, not null, increment] "product_name" varchar(100) [not null] "description" text "category" varchar(50) "price" numeric(10,2) [not null] "cost" numeric(10,2) "sku" varchar(50) [unique] "inventory_count" int4 [default: 0] "is_active" bool [default: true] "created_at" timestamp [default: `CURRENT_TIMESTAMP`] "updated_at" timestamp [default: `CURRENT_TIMESTAMP`] "supplier_info" jsonb "weight_kg" numeric(6,2) "dimensions" jsonb } Table "order_management" { "order_id" int4 [pk, not null, increment] "user_id" int4 "order_number" varchar(50) [unique, not null] "order_status" varchar(20) [default: 'pending'] "total_amount" numeric(12,2) [not null] "tax_amount" numeric(12,2) "shipping_amount" numeric(12,2) "discount_amount" numeric(12,2) [default: 0] "payment_method" varchar(50) "payment_status" varchar(20) [default: 'pending'] "shipping_address" jsonb "billing_address" jsonb "order_date" timestamp [default: `CURRENT_TIMESTAMP`] "shipped_date" timestamp "delivered_date" timestamp "tracking_number" varchar(100) } Table "financial_transactions" { "transaction_id" int4 [pk, not null, increment] "order_id" int4 "user_id" int4 "transaction_type" varchar(20) [not null] "amount" numeric(12,2) [not null] "currency" varchar(3) [default: 'USD'] "payment_gateway" varchar(50) "gateway_transaction_id" varchar(100) "credit_card_last_four" bpchar(4) "bank_account_last_four" bpchar(4) "transaction_status" varchar(20) [default: 'pending'] "processed_at" timestamp "created_at" timestamp [default: `CURRENT_TIMESTAMP`] "fee_amount" numeric(8,2) "refund_amount" numeric(12,2) [default: 0] "notes" text } Table "audit_logs" { "log_id" int4 [pk, not null, increment] "user_id" int4 "action_type" varchar(50) [not null] "table_name" varchar(50) "record_id" int4 "old_values" jsonb "new_values" jsonb "ip_address" inet "user_agent" text "session_id" varchar(100) "timestamp" timestamp [default: `CURRENT_TIMESTAMP`] "success" bool [default: true] "error_message" text } Ref "audit_logs_user_id_fkey":"user_profiles"."user_id" < "audit_logs"."user_id" Ref "financial_transactions_order_id_fkey":"order_management"."order_id" < "financial_transactions"."order_id" Ref "financial_transactions_user_id_fkey":"user_profiles"."user_id" < "financial_transactions"."user_id" Ref "order_management_user_id_fkey":"user_profiles"."user_id" < "order_management"."user_id" Ref "user_credentials_user_id_fkey":"user_profiles"."user_id" < "user_credentials"."user_id" [delete: cascade] Ref "user_stat_analysis_user_id_fkey":"user_profiles"."user_id" < "user_stat_analysis"."user_id" [delete: cascade]

Instruction

Conduct a comprehensive security audit to identify PostgreSQL users with insufficient or dangling permissions in a business database environment.

Your Mission:

You've been hired as a security consultant to audit the PostgreSQL database permissions for a growing e-commerce company. The company has experienced rapid growth and multiple teams have been granted database access over time. However, there's concern about permission inconsistencies and security gaps.

Security Audit Requirements:

Discover the database structure: Identify all business tables and their purposes
Catalog all database users and roles: Use pg_user, pg_roles, and pg_auth_members to find all accounts
Analyze current permissions: Use information_schema.table_privileges to map permissions
Identify security issues:
- Dangling users: Inactive accounts that should be removed
- Missing permissions: Users lacking permissions required for their business role
- Excessive permissions: Users with unnecessary permissions that should be revoked

Expected permissions by role (what they SHOULD have)

Python

# users's role
USER_ROLE = {
    # Active functional users
    'analytics_user': 'Analytics Team',
    'marketing_user': 'Marketing Department',
    'customer_service': 'Customer Service',
    'finance_user': 'Finance Team',
    'product_manager': 'Product Management',
    'security_auditor': 'Security Team',
    'developer_user': 'Development Team',
    'backup_user': 'Backup Service',
}

# each role has its permissions
ROLE_EXPECTED_PERMISSIONS = {
    'Analytics Team': [
        ('user_profiles', 'SELECT'),
        ('user_stat_analysis', 'SELECT'),
        ('product_catalog', 'SELECT'),
        ('order_management', 'SELECT'),
    ],
    'Marketing Department': [
        ('user_profiles', 'SELECT'),
        ('user_stat_analysis', 'SELECT'),
        ('product_catalog', 'SELECT'),
    ],
    'Customer Service': [
        ('user_profiles', 'SELECT'),
        ('user_profiles', 'UPDATE'),
        ('order_management', 'SELECT'),
        ('order_management', 'INSERT'),
        ('order_management', 'UPDATE'),
        ('product_catalog', 'SELECT'),
    ],
    'Finance Team': [
        ('financial_transactions', 'SELECT'),
        ('order_management', 'SELECT'),
        ('user_profiles', 'SELECT'),
    ],
    'Product Management': [
        ('product_catalog', 'SELECT'),
        ('product_catalog', 'INSERT'),
        ('product_catalog', 'UPDATE'),
        ('product_catalog', 'DELETE'),
        ('order_management', 'SELECT'),
        ('user_stat_analysis', 'SELECT'),
    ],
    'Security Team': [
        ('audit_logs', 'SELECT'),
        ('user_credentials', 'SELECT'),
        ('user_profiles', 'SELECT'),
    ],
    'Development Team': [
        ('user_profiles', 'SELECT'),
        ('product_catalog', 'SELECT'),
    ],
    'Backup Service': [
        ('user_profiles', 'SELECT'),
        ('product_catalog', 'SELECT'),
        ('order_management', 'SELECT'),
        ('financial_transactions', 'SELECT'),
        ('user_stat_analysis', 'SELECT'),
        ('audit_logs', 'SELECT'),
        ('user_credentials', 'SELECT'),
    ]
}

Expected Deliverables:

Your audit must produce findings in a structured format that can be verified. Create two tables to store your audit results:

1. Summary Table:

SQL

CREATE TABLE security_audit_results (
    audit_id SERIAL PRIMARY KEY,
    audit_type VARCHAR(50) NOT NULL, -- 'DANGLING_USERS', 'MISSING_PERMISSIONS', 'EXCESSIVE_PERMISSIONS'
    total_issues INTEGER NOT NULL,
    users_affected INTEGER NOT NULL,
    tables_affected INTEGER NOT NULL
);

2. Detailed Findings Table:

SQL

CREATE TABLE security_audit_details (
    detail_id SERIAL PRIMARY KEY,
    username VARCHAR(50) NOT NULL,
    issue_type VARCHAR(50) NOT NULL, -- 'DANGLING_USER', 'MISSING_PERMISSION', 'EXCESSIVE_PERMISSION'
    table_name VARCHAR(50), -- NULL for dangling users
    permission_type VARCHAR(20), -- 'SELECT', 'INSERT', 'UPDATE', 'DELETE', NULL for dangling users
    expected_access BOOLEAN NOT NULL -- TRUE if user should have access, FALSE if should not
);

Success Criteria:

Your audit should populate both tables with:

Summary data: High-level counts of different types of security issues
Detailed findings: Specific permission gaps for each user and table combination

Business Role Expectations

Analyze usernames and infer their intended business roles based on naming patterns:

analytics_user → Analytics Team (needs user behavior and statistics data)
marketing_user → Marketing Department (needs customer and product data for campaigns)
customer_service → Customer Service (needs user profiles and order management)
finance_user → Finance Team (needs financial and order data)
product_manager → Product Management (needs full product catalog access)
security_auditor → Security Team (needs audit logs and credential data)
developer_user → Development Team (needs limited access for testing)
backup_user → Backup Service (needs read-only access to all business data)
temp_contractor, old_employee, test_account → Inactive/Temporary (should have NO permissions)

The verification process will check that your findings correctly identify the actual permission gaps in the system by comparing against expected results.

Verify

Python

import os
import psycopg2
import sys


def verify_security_audit():
    """
    Verify that the security audit correctly identified all permission issues.
    """

    # Database connection parameters from environment
    db_params = {
        'host': os.getenv('POSTGRES_HOST', 'localhost'),
        'port': os.getenv('POSTGRES_PORT', '5432'),
        'user': os.getenv('POSTGRES_USERNAME', 'postgres'),
        'password': os.getenv('POSTGRES_PASSWORD', 'password'),
        'database': os.getenv('POSTGRES_DATABASE', 'postgres')
    }

    try:
        conn = psycopg2.connect(**db_params)
        cur = conn.cursor()

        print("| Verifying security audit findings...")

        # Check if security_audit_results table exists
        cur.execute("""
            SELECT EXISTS (
                SELECT FROM information_schema.tables
                WHERE table_name = 'security_audit_results'
            );
        """)

        if not cur.fetchone()[0]:
            print("FAIL: security_audit_results table not found")
            return False

        # Check if security_audit_details table exists
        cur.execute("""
            SELECT EXISTS (
                SELECT FROM information_schema.tables
                WHERE table_name = 'security_audit_details'
            );
        """)

        if not cur.fetchone()[0]:
            print("FAIL: security_audit_details table not found")
            return False

        # Get all detailed findings
        cur.execute("SELECT * FROM security_audit_details ORDER BY detail_id;")
        findings = cur.fetchall()

        if not findings:
            print("FAIL: No findings in security_audit_details table")
            return False

        print(f"| Found {len(findings)} audit findings")

        # Expected findings based on the ground truth:
        expected_findings = {
            # Expected dangling users
            'dangling_users': {'temp_contractor', 'old_employee', 'test_account'},

            # Expected missing permissions (should be granted)
            'missing_permissions': {
                ('analytics_user', 'user_profiles', 'SELECT'),
                ('analytics_user', 'product_catalog', 'SELECT'),
                ('analytics_user', 'order_management', 'SELECT'),
                ('marketing_user', 'product_catalog', 'SELECT'),
                ('customer_service', 'product_catalog', 'SELECT'),
                ('finance_user', 'user_profiles', 'SELECT'),
                ('product_manager', 'user_stat_analysis', 'SELECT'),
                ('security_auditor', 'audit_logs', 'SELECT'),
                ('developer_user', 'product_catalog', 'SELECT'),
                ('backup_user', 'order_management', 'SELECT'),
                ('backup_user', 'financial_transactions', 'SELECT'),
                ('backup_user', 'user_stat_analysis', 'SELECT'),
                ('backup_user', 'user_credentials', 'SELECT')
            },

            # Expected excessive permissions (should be revoked)
            'excessive_permissions': {
                ('analytics_user', 'financial_transactions', 'SELECT'),
                ('marketing_user', 'financial_transactions', 'SELECT'),
                ('customer_service', 'user_credentials', 'SELECT'),
                ('product_manager', 'financial_transactions', 'SELECT'),
                ('security_auditor', 'financial_transactions', 'UPDATE'),
                ('developer_user', 'user_credentials', 'SELECT'),
                ('developer_user', 'order_management', 'UPDATE'),
                ('backup_user', 'product_catalog', 'DELETE'),
                ('temp_contractor', 'product_catalog', 'SELECT'),
                ('temp_contractor', 'user_profiles', 'SELECT'),
                ('old_employee', 'audit_logs', 'SELECT'),
                ('old_employee', 'user_stat_analysis', 'UPDATE'),
                ('test_account', 'user_profiles', 'SELECT')
            }
        }

        found_dangling = set()
        found_missing_permissions = set()
        found_excessive_permissions = set()

        # Analyze findings (detail_id, username, issue_type, table_name, permission_type, expected_access)
        for finding in findings:
            username = finding[1]
            issue_type = finding[2]
            table_name = finding[3]
            permission_type = finding[4]
            expected_access = finding[5]

            if issue_type == 'DANGLING_USER':
                found_dangling.add(username)
            elif issue_type == 'MISSING_PERMISSION' and expected_access:
                if table_name and permission_type:
                    found_missing_permissions.add((username, table_name, permission_type))
            elif issue_type == 'EXCESSIVE_PERMISSION' and not expected_access:
                if table_name and permission_type:
                    found_excessive_permissions.add((username, table_name, permission_type))

        # Verify dangling users
        missing_dangling = expected_findings['dangling_users'] - found_dangling
        extra_dangling = found_dangling - expected_findings['dangling_users']

        # Verify missing permissions
        missing_missing_perms = expected_findings['missing_permissions'] - found_missing_permissions
        extra_missing_perms = found_missing_permissions - expected_findings['missing_permissions']

        # Verify excessive permissions
        missing_excessive_perms = expected_findings['excessive_permissions'] - found_excessive_permissions
        extra_excessive_perms = found_excessive_permissions - expected_findings['excessive_permissions']

        # Validate structure
        structure_valid = True
        for i, finding in enumerate(findings):
            if len(finding) != 6:  # Should have 6 columns
                print(f"| FAIL: Finding {i + 1} has wrong number of columns (expected 6, got {len(finding)})")
                structure_valid = False
                continue

            detail_id, username, issue_type, table_name, permission_type, expected_access = finding

            if not username:
                print(f"| FAIL: Finding {i + 1} missing username")
                structure_valid = False

            if issue_type not in ['DANGLING_USER', 'MISSING_PERMISSION', 'EXCESSIVE_PERMISSION']:
                print(f"| FAIL: Finding {i + 1} invalid issue_type: {issue_type}")
                structure_valid = False

            if expected_access not in [True, False]:
                print(f"| FAIL: Finding {i + 1} invalid expected_access: {expected_access}")
                structure_valid = False

        if structure_valid:
            print(f"| ✓ structure is valid")

        # Check for missing findings
        all_correct = True

        print(f"| Expected dangling users: {expected_findings['dangling_users']} Found: {found_dangling}")
        if missing_dangling:
            print(f"| Missing dangling users: {missing_dangling}")
            all_correct = False

        print(
            f"| Expected missing permissions: {len(expected_findings['missing_permissions'])} Found: {len(found_missing_permissions)} Missing: {len(missing_missing_perms)}")
        if missing_missing_perms:
            print(f"| Missing 'missing permission' findings:")
            for perm in sorted(missing_missing_perms):
                print(f"|   - {perm[0]} should be granted {perm[2]} on {perm[1]}")
            all_correct = False

        print(
            f"| Expected excessive permissions: {len(expected_findings['excessive_permissions'])} Found: {len(found_excessive_permissions)} Missing: {len(missing_excessive_perms)}")
        if missing_excessive_perms:
            print(f"| Missing 'excessive permission' findings:")
            for perm in sorted(missing_excessive_perms):
                print(f"|   - {perm[0]} should have {perm[2]} revoked on {perm[1]}")
            all_correct = False

        # Check audit summary table
        cur.execute(
            "SELECT audit_type, total_issues, users_affected, tables_affected FROM security_audit_results ORDER BY audit_type;")
        summary_results = cur.fetchall()

        # Expected summary numbers based on ground truth
        expected_summary = {
            'DANGLING_USERS': (3, 3, 0),          # 3 issues, 3 users affected, 0 tables affected
            'EXCESSIVE_PERMISSIONS': (13, 10, 7), # 13 issues, 10 users affected, 7 tables affected
            'MISSING_PERMISSIONS': (13, 8, 7)     # 13 issues, 8 users affected, 7 tables affected
        }

        summary_correct = True
        for result in summary_results:
            audit_type, total_issues, users_affected, tables_affected = result
            print(f"| Summary result: [{audit_type}] {total_issues} issues, {users_affected} users affected, {tables_affected} tables affected")
            
            if audit_type in expected_summary:
                expected = expected_summary[audit_type]
                if (total_issues, users_affected, tables_affected) != expected:
                    print(f"| FAIL: {audit_type} summary mismatch - Expected: {expected}, Got: ({total_issues}, {users_affected}, {tables_affected})")
                    summary_correct = False
                else:
                    print(f"| ✓ {audit_type} summary matches expected values")

        # Assert exact counts match expected
        assert len(found_dangling) == 3, f"Expected 3 dangling users, found {len(found_dangling)}"
        assert len(found_missing_permissions) == 13, f"Expected 13 missing permissions, found {len(found_missing_permissions)}"
        assert len(found_excessive_permissions) == 13, f"Expected 13 excessive permissions, found {len(found_excessive_permissions)}"

        if all_correct and structure_valid and summary_correct:
            print("| ✓ All assertions passed")
            return True
        else:
            return False

    except Exception as e:
        print(f"FAIL: Error during verification: {e}")
        return False
    finally:
        if 'cur' in locals():
            cur.close()
        if 'conn' in locals():
            conn.close()


if __name__ == "__main__":
    success = verify_security_audit()
    sys.exit(0 if success else 1)