> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytebase.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SQL Editor Data Access Control

## Background

Traditional local SQL clients like DBeaver and Navicat carries security limitations that Bytebase's centralized approach solves:

| Traditional SQL Clients                                                                       | Bytebase Solution                                                                                         |
| --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| **Distributed Credentials**: Stored locally in plain text, manual revocation, multiple copies | **Centralized Credentials**: Never leave platform, SSO authentication, directory sync, instant revocation |
| **No Fine-Grained Access**: All-or-nothing database access, no table/column restrictions      | **Granular Control**: Database, schema, table-level restrictions with column masking                      |
| **Missing Audit Trails**: Zero visibility, no centralized logging, compliance violations      | **Complete Auditing**: Every query, change, and admin action logged with full context                     |
| **Time-Based Access Gaps**: No temporary access, permanent until revoked                      | **Just-in-Time Access**: Request-based temporary access with approval workflows                           |

## Test vs Production Setup

Below we demonstrate a two environment setup, one for test and one for production. The principle is to provide maximum security for production while keeping developer productivity for test.

### DDL and DML Execution

[Statement execution mode](/change-database/environment-policy/overview/#statement-execution-mode) controls
whether users can run DDL and DML directly in the SQL Editor at the environment level.

|                                  | Test | Prod |
| -------------------------------- | ---- | ---- |
| Allow running DDL                | ✅    | ❌    |
| Allow running data-modifying DML | ✅    | ❌    |

For the production environment, we disable both DDL and DML execution and require all changes to go through the [approval workflow](/change-database/change-workflow).

### Fine-Grained Query

Users need to be granted explicit permissions to query the data from SQL Editor. The most straightforward way is to grant the `SQL Editor User` role to the user inside
the project.

1. Specify `SQL Editor User` as the role.
2. Specify a reason.
3. Grant the access to all databases in the project or fine-grained to specific databases, schemas, and tables.
4. Specify an expiration date.

<img src="https://mintcdn.com/dbx/hVml3kA8vNK6vcVL/content/docs/onboarding/sql-editor-data-access-control/grant.webp?fit=max&auto=format&n=hVml3kA8vNK6vcVL&q=85&s=2e60c4bb7927d5843407dac30d096a3d" alt="grant" width="1102" height="1208" data-path="content/docs/onboarding/sql-editor-data-access-control/grant.webp" />

<Tip>
  `SQL Editor User` is a built-in role that allows users to run `EXPLAIN`, `SELECT` and export data. If you want to allow users to run `EXPLAIN` only, you can create a [custom role](/administration/roles) with `bb.sql.explain` permission.
</Tip>

### Just-In-Time Access

You may disallow any production access by default and only allow temporary access on-demand. Users can this request temporary access
via the SQL Editor. You will configure the [custom approval policy](/change-database/approval) to designate the approvers.

### Audit Logging

<Note>
  For data privacy reasons, Bytebase does not log the actual data in the query result.
</Note>

Every query is [audit logged](/security/audit-log). From the audit logging view, you can see the actor, the database, the SQL statement, and the result.
and the returned columns.

<Tabs>
  <Tab title="Dashboard">
    <img src="https://mintcdn.com/dbx/hVml3kA8vNK6vcVL/content/docs/onboarding/sql-editor-data-access-control/audit-log-dashboard.webp?fit=max&auto=format&n=hVml3kA8vNK6vcVL&q=85&s=0f615ca5b0bd7c5e3305cef57aebb5dc" alt="grant" width="1122" height="715" data-path="content/docs/onboarding/sql-editor-data-access-control/audit-log-dashboard.webp" />
  </Tab>

  <Tab title="Sample Request Log">
    <img src="https://mintcdn.com/dbx/hVml3kA8vNK6vcVL/content/docs/onboarding/sql-editor-data-access-control/audit-log-request.webp?fit=max&auto=format&n=hVml3kA8vNK6vcVL&q=85&s=ce3fb3591b23b07b6075e0fce21f55ca" alt="grant" width="1478" height="753" data-path="content/docs/onboarding/sql-editor-data-access-control/audit-log-request.webp" />
  </Tab>

  <Tab title="Sample Response Log">
    <img src="https://mintcdn.com/dbx/hVml3kA8vNK6vcVL/content/docs/onboarding/sql-editor-data-access-control/audit-log-response.webp?fit=max&auto=format&n=hVml3kA8vNK6vcVL&q=85&s=9b4a6560fd25ad248886cd30c0e6c0e3" alt="grant" width="1445" height="992" data-path="content/docs/onboarding/sql-editor-data-access-control/audit-log-response.webp" />
  </Tab>
</Tabs>

## Summary

Below is a summary of the access control settings for the test and production environments.

|                                     | Test | Prod |
| ----------------------------------- | ---- | ---- |
| Allow running DDL                   | ✅    | ❌    |
| Allow running data-modifying DML    | ✅    | ❌    |
| Fine-grained EXPLAIN, Query, Export | ✅    | ✅    |
| Just-in-Time Access                 | ✅    | ✅    |
| Audit Logging                       | ✅    | ✅    |

You can extend the solution by exploring the following features:

* Create [user groups](/administration/user-groups) and enable [directory sync](/administration/scim/overview) to automate the role assignment.
* Configure [data masking](/security/data-masking/overview) to mask sensitive data.
* Use [Terraform](/integrations/terraform/overview) to codify all the settings.
