Just-In-Time (JIT) Database Access is a security practice where database access privileges are granted temporarily, only when needed, and automatically revoked after a specified period. The goal is to reduce the risk of unauthorized access, minimize the attack surface, and enhance security by ensuring that users or applications have access only when it is necessary for a specific task.
Traditional workflow
Below shows a typical workflow offered by the existing JIT database access solutions:
- Incident starts.
- On-call visits the JIT system to request elevated database permissions.
- Request is approved, JIT system provisions a temporary database user and give it to the on-call.
- On-call uses the temporary database user to connect to the production database from a SQL client and starts troubleshooting.
- Incident ends.
- JIT system revokes the temporary database user or let the user expire automatically.
A limitation arises when the system used to request and provision JIT database access is separate from the system where end users connect to the databases. For example, while we can review and audit JIT access requests, we cannot record or control the SQL queries executed by end users.
Bytebase workflow
Bytebase provides the similar self-service request workflow to JIT database access. Additionally, Bytebase provides additional benefits.
Fine-grained database permissions
| Access Level | Operation | Permission |
|---|---|---|
| Read | EXPLAIN | sql.explain |
| Query | sql.select | |
| Export | sql.export | |
| Write (subject to execution mode) | Mutation DML | sql.dml |
| DDL | sql.ddl | |
| Admin | Admin | sql.admin |
| Request change for review | Create Issue | issues.create |
Bytebase enables fine-grained database permissions, allowing you to grant developers only the EXPLAIN permission by default. In the event of an incident, developers can temporarily obtain elevated database permissions, which should be revoked promptly once the issue is resolved. This approach ensures Zero Standing Privileges (ZSP), eliminating persistent access rights within the organization’s IT environment.
Integrated SQL Editor
Bytebase has a built-in SQL Editor so users don't need to jump to a separate SQL client to inspect the databases. Besides, Bytebase can restrict SQL statements and apply dynamic data masking.
API-first
Bytebase can be integrated into the existing Internal Developer Portal (IDP) via API. Below tutorial shows how to embed SQL Editor and configure the database permissions via API.
Comparison
| JIT Database Access Features | Traditional | Bytebase |
|---|---|---|
| Self-service request and approval flow | ✅ | ✅ |
| Auto-expiration | ✅ | ✅ |
| Audit logging request | ✅ | ✅ |
| Audit logging SQL | ❌ | ✅ |
| Integrated SQL Client | ❌ | ✅ |
| Dynamic Data Masking | ❌ | ✅ |
| Custom Integration | ⚠️ Limited due to the lack of an built-in SQL Client | ✅ |
the
