Security in DBeaver PRO: questions and answers

Working with databases inevitably leads to the need to provide security at different levels. For this reason, we at DBeaver, as the creators of the database tool, pay special attention to sensitive data safety and follow security best practices. Today we want to answer some of the most popular security-related questions.

Can I password-protect my databases at the app level to be sure that no one can access my data?
The simplest level of protection for your data can indeed be achieved by using a password. In DBeaver, you can set the password for a separate project or a master password for all your projects in a local workspace. DBeaver does not store it anywhere, it only encrypts user credentials in a special local storage. It is not possible to decrypt this password.

Instead of using a master password, you can also use system credentials to do the same.

I want to share some data with our marketing specialists but want to prevent any changes in database tables. Is it possible with DBeaver?
In DBeaver, you can set the password for the connection to make it read-only. In this case, users will have access to all the necessary data, but they will not be able to edit anything. Such connections will be marked with an orange Padlock icon.

Another way to share data with colleagues without giving them the possibility to edit anything is to use DBeaver Team Edition. For example, you can create a dataset based on a particular SQL query, and if your teammate has a Viewer role, they will not be able to change any data.
How to avoid any changes in the database metadata and system information?
It is possible to customize users’ preferences before running DBeaver. In particular, you can force hide all objects from the navigation tree, except tables and views, by setting the default simple mode for all database connections. When this mode is chosen, the number of fields in the Metadata editor is also reduced to the necessary minimum, which prevents accidental changes to any advanced settings.

How is the security working with cloud databases in DBeaver ensured?
If you use Single Sign-On authentication to connect to your company services, you can do the same with DBeaver. Our apps support AWS, Microsoft Azure, and GCP SSO. When a user connects to the cloud database, DBeaver opens a web browser with SSO authentication. So you do not need to manage, store, and transfer user credentials.

Moreover, it is possible to work with several cloud configurations simultaneously. If you need to work with different cloud providers, we suggest using DBeaver Ultimate and its Cloud Explorer feature. It frees you from configuring a lot of settings and allows you to work with a large number of AWS, Microsoft Azure, and GCP databases at the same time. You can learn more about Cloud Explorer settings in our Wiki.

Users can also log in to CloudBeaver and Team Edition with cloud providers’ credentials. Thanks to this single-point authorization, the administrator does not have to share any key files or credentials with users.
Our team consists of several different technical specialists and business users. How can they work together safely with the same data?
We suggest using DBeaver Team Edition in this use case. With it, your team leader or administrator can manage the necessary pre-settings, and all the users should do is just log in to the system and start working with the connections and scripts.

On the other hand, by using the role mechanism in Team Edition you can clearly distribute access levels for each user. For example, for Editors and Viewers, we have a special simplified interface without complicated technical features. At the same time, they have access to all the necessary data and can work with it.