[Cheer2171]

It sounds like you haven't actually had to face that situation, because it is more complicated than just having to delete an offending attachment. You would still have an audit log of the deletion of that email record by the superuser, even if the content is deleted. And there would be other records generated to document the deletion, like I'm sure a long email or slack thread from this getting discovered and sent up the chain, over to legal, then to the FBI, then back to coordinating the logistics of manually deleting something from the audit logs. So if for a completely unrelated case, a third party auditor stumbles upon that mess, they will be able to reconstruct why a single attachment cannot be found in the audit logs.

"No" is the answer to GP: there is no legitimate reason for a fully unlogged superuser account.

[j_w]

Yeah, superuser accounts? Of course you need them to exist. Superuser accounts that produce no logs? There is never a reason for that. Anyone who claims they should have a superuser with no logging is up to no good.

[michaelt]

> You would still have an audit log of the deletion of that email record by the superuser, even if the content is deleted.

If needing things wiped from the audit logs happens often, you might indeed have an audited interface for wiping things from the audit logs.

But if it's very rare? Maybe I just request the production database password for "Incident #12345" and run some careful SQL.

> And there would be other records generated to document the deletion, like I'm sure a long email or slack thread

For sure - but the account capable of deleting entries from the audit logs exists

And if I am ordered to hand it over to someone who doesn't care to explain their actions on slack? Then there won't be any explanations in slack.