Explanation

Just-in-Time Database Access

Tianzhou
Tianzhou5 min read
Just-in-Time Database Access

Just-In-Time (JIT) Database Access is a security practice where database access privileges are granted temporarily, only when needed, and automatically revoked after a specified period. The goal is to reduce the risk of unauthorized access, minimize the attack surface, and enhance security by ensuring that users or applications have access only when it is necessary for a specific task.

Traditional workflow

Below shows a typical workflow offered by the existing JIT database access solutions:

  1. Incident starts.
  2. On-call visits the JIT system to request elevated database permissions.
  3. Request is approved, JIT system provisions a temporary database user and give it to the on-call.
  4. On-call uses the temporary database user to connect to the production database from a SQL client and starts troubleshooting.
  5. Incident ends.
  6. JIT system revokes the temporary database user or let the user expire automatically.

Although existing JIT solutions provide some degree of automation and centralized control, they are limited by the disconnect between the system used to request and provision JIT database access and the system where end users actually connect to the databases.

  1. Users have to set up different database credentials in their SQL client every time.

  2. While the system can review and audit JIT access requests, it cannot record or control the SQL queries executed by the end users.

Bytebase workflow

Bytebase provides the similar self-service request workflow to JIT database access. Additionally, Bytebase provides additional benefits.

Fine-grained database permissions

Access LevelOperationPermission
ReadEXPLAINsql.explain
Querysql.select
Exportsql.export
Write (subject to execution mode)Mutation DMLsql.dml
DDLsql.ddl
AdminAdminsql.admin
Request change for reviewCreate Issueissues.create

Bytebase enables fine-grained database permissions, allowing you to grant developers only the EXPLAIN permission by default. In the event of an incident, developers can temporarily obtain elevated database permissions, which should be revoked promptly once the issue is resolved. This approach ensures Zero Standing Privileges (ZSP), eliminating persistent access rights within the organization’s IT environment.

Integrated SQL Editor

sql-editor

Bytebase has a built-in SQL Editor so users don't need to jump to a separate SQL client to inspect the databases. Besides, Bytebase can restrict SQL statements and apply dynamic data masking.

API-first

Bytebase can be integrated into the existing Internal Developer Portal (IDP) via API. Below tutorial shows how to embed SQL Editor and configure the database permissions via API.

Comparison

JIT Database Access FeaturesTraditionalBytebase
Self-service request and approval flow
Auto-expiration
Audit logging request
Audit logging SQL
Integrated SQL Client
Dynamic Data Masking
Custom Integration⚠️ Limited due to the lack of an built-in SQL Client

Jointhe community

At Bytebase, we believe in the power of collaboration and open communication, and we have a number of communities that you can join to connect with other like-minded.

Subscribe to Newsletter

By subscribing, you agree with Bytebase's Terms of Service and Privacy Policy.