Skip to main content
Just-in-Time (JIT) access means granting database access only when it’s needed and only for a limited time — instead of standing permissions. A member requests access, an approver reviews it, and the grant expires automatically. In Bytebase, you can grant just-in-time access at two levels of granularity:
  • Request a role — get a time-boxed role (e.g. SQL Editor User) on the selected databases. See Request a Role.
  • Just-in-time data access — get a time-boxed grant to run a specific read-only statement, and optionally export the result (just-in-time data export). Described below.
Either way, the request goes through an approval flow and is recorded in the audit log.

Enable just-in-time access

In your project, click Settings on the left sidebar, then turn on either or both:
  • Allow request role — Allow project members to request roles.
  • Just-In-Time access — Allow project members to request just-in-time (JIT) access.

Request a role

A role grants everything it allows on the selected databases for the duration you request — broader than just-in-time data access, which is scoped to a single statement. Request one from the project or from SQL Editor. See Request a Role for the full steps.

Just-in-time data access

When you don’t have access to a database in SQL Editor, request it just-in-time. In the Request Data Access dialog, provide:
  • Databases — the targets you need to access.
  • Statement — the SQL to run. Only read-only statements are allowed.
  • Export — also export the query result.
  • Unmask — see unmasked sensitive data in the result.
  • Expiration — how long the access stays valid.
  • Reason — the justification reviewers see.
Submitting creates a request issue routed through the Request Just-In-Time Access approval flow.

Just-in-time data export

Including Export in the request grants just-in-time data export — time-boxed permission to export the query result. To require all exports to go through this flow, turn off Enable data export at the workspace level (Settings > General) and turn on Just-In-Time access at the project level. Members can then no longer export directly, but can still request just-in-time data export.

Approval

Each request is reviewed with Custom Approval, under the source that matches the request:
  • Request a role → the Request Role source.
  • Just-in-time data access → the Request Just-In-Time Access source.
For just-in-time data access, conditions can match the request, for example:
  • request.data_export == true — the request includes export.
  • request.unmask == true — the request includes unmasking.
Conditions can also match the target with resource.database_name, resource.table_name, and similar attributes.

Use the granted access

After approval, open the Just-In-Time Access tab — the shield icon on the SQL Editor left sidebar. It lists your active grants, each showing the databases, any Export or Unmask badge, the expiration, and a link to the approval issue. Click Run to execute a grant’s approved statement; if it includes Export, you can export the result. The grant stays usable until it expires. To review every just-in-time grant in a project, go to Data Access > Access Grants in the project sidebar.

Expiration and audit

Just-in-time access expires automatically at the Expiration you set when requesting, so access is never left standing. Members see a reminder before a granted role expires. The audit log records each query and export, including which access grant authorized it.