The server rejected a User Defined Function (UDF) audit log request because the caller lacks the SUPER privilege.
ER_AUDIT_LOG_UDF_INSUFFICIENT_PRIVILEGE (error 3211, SQLSTATE HY000) occurs when a session without the SUPER privilege tries to write to the MySQL audit log via a UDF. Grant SUPER (or SYSTEM_USER in 8.0+) or run the operation as a privileged user to resolve the issue.
ER_AUDIT_LOG_UDF_INSUFFICIENT_PRIVILEGE
MySQL raises error 3211 (SQLSTATE HY000) when an account executes a User Defined Function (UDF) that tries to write to the audit log without possessing the SUPER privilege. Introduced in MySQL 5.7.22, this safeguard blocks unprivileged sessions from tampering with audit data.
The error message appears in the server error log and the client session, immediately halting the attempted operation. Addressing it quickly is critical because failed audit writes may hide security events and break compliance workflows.
The primary trigger is a UDF such as audit_log_read() or audit_log_write() executed by a user lacking SUPER (or SYSTEM_USER in MySQL 8.0+). MySQL checks the privilege at runtime and aborts the call if it is missing.
Secondary factors include revoked privileges after a role change, account replication to a stricter replica, or executing the UDF inside a stored routine that runs with definer rights lacking SUPER.
Grant the required privilege to the calling account or execute the UDF through a high-privileged proxy user. After granting, flush privileges to apply changes immediately. If running MySQL 8.0, prefer SYSTEM_USER over SUPER because SUPER is deprecated.
Automation scripts that rotate credentials often drop SUPER by mistake. Update the provisioning playbook to include SUPER or SYSTEM_USER. On replicas, map the account to an administrative role or create a dedicated audit_writer user.
Stored procedures that wrap audit_log_write() should be defined with SQL SECURITY DEFINER and the definer account should keep SUPER. This prevents end users from requiring elevated rights.
Centralize privilege management with roles, allocating SYSTEM_USER to a minimal set of service accounts. Monitor the MySQL error log for 3211 events and alert the security team immediately. Periodically test audit paths in staging to verify that privilege changes do not break logging.
Error 1227 (HY000) - Access denied; occurs for general privilege issues. Grant missing rights or use DEFINER context. Error 1142 (42000) - Command denied to user; appears when standard SQL privileges are absent. Adjust SELECT, INSERT, or EXECUTE as appropriate.
The caller does not hold SUPER (MySQL 5.7) or SYSTEM_USER (MySQL 8.0+) so the server blocks the audit UDF.
Automated security hardening removed SUPER without updating applications that still invoke audit_log_write().
A procedure wrapping the UDF is defined by an account lacking SUPER, causing downstream sessions to inherit insufficient rights.
Privileges differ on a replica, so the same UDF call that passes on the primary fails on the replica.
Generic privilege error when executing restricted commands without SUPER.
Occurs when standard SQL privileges such as SELECT or INSERT are missing.
Raised by some backup and clone operations when SYSTEM_USER is absent in MySQL 8.0.
Yes, SUPER/System_user grants wide power. Limit it to service accounts, monitor usage, and prefer role-based grants where possible.
You can uninstall the audit_log plugin or remove UDFs, but you will lose audit logging. Fixing privileges is safer if auditing is required.
SUPER is deprecated; SYSTEM_USER covers most SUPER abilities. Use SYSTEM_USER in new deployments to future-proof privileges.
Galaxy highlights privilege errors inline, suggests the exact GRANT statement via its AI copilot, and lets teams share the corrected SQL in a secured workspace, preventing repeated 3211 errors.
.avif)
.avif){kind=logo}
