Security in DBeaver PRO
Note: This feature is available in Lite, Enterprise, Ultimate and Team editions only.
Table of contents
The level of security is one of the key questions for enterprises, and the DBeaver team pays a lot of attention to it. One of the best reasons to use PRO versions is to take advantage of its security tools and features, such as password protection, SSO authentication, teams and roles in Team Edition.
This article briefly describes the most important security options available in DBeaver PRO.
Master password
You can enhance security in DBeaver with the Master Password, which encrypts credentials and sensitive data using a secure storage system. This feature ensures that each user's credentials are individually protected by their own Master Password, tying the encryption specifically to their local environment.
For more details, refer to the Managing Master Password article.
Changing database password
Users can change the current database password directly in DBeaver in the following databases:
- Cockroach
- Exasol
- Greenplum
- Netezza
- Oracle
- PostgreSQL
- Redshift
- Snowflake
- SQL Server
- Vertica.
Oracle, PostgreSQL, and Netezza allow changing an expired password in DBeaver as well.
Password protection for Projects
Master password for all your Projects
You can protect all Projects in your local workspace with a Master password.
You can set this password and store it in DBeaver password provider or use a generated password from your local password provider (for instance, OS X Keystore Integration or Windows integration provider).
Learn more about the Master password for Projects
Password for one project
You can specify a password for any project to protect all the project's configurations.
Learn more about project password
Secure authentication
You can connect to databases using secure authentication via Kerberos or GCP, AWS, and Azure cloud services.
Kerberos support
Kerberos is an authentication protocol, the default authentication technology used in Microsoft Windows.
You can connect via Kerberos using keytab, kinit, or a password. Open the connection settings, choose one of the supported databases and select Kerberos as the authentication method.
Learn more about authentication via Kerberos
SSO authentication
Users can connect to all company services using only one login and password. This is possible if you use SSO - Single Sign-On authentication service.
You do not need to manage, store, and transfer user credentials. When a user connects to the database, DBeaver opens a web browser with SSO authentication.
DBeaver supports the following SSO authentication services:
Predefined connections
Connections import
You can describe all available database connections in configuration files (in JSON format) or import from CSV or XML DBeaver.
Read-only connections
If you want to restrict users from editing connection parameters, you can protect them with passwords.
Users roles and permissions
Configuring preferences
You can customize users preferences before they run DBeaver. For example, you can set the default simple mode for all connections (to show only schemas and tables and hide all system and service objects).
Roles in Team Edition
The best way to manage user access, restrictions, and permissions is to use Team Edition.
Team Edition allows you to create users and assign them appropriate roles with predefined capabilities.
You can add Viewers and Editors to work with prepared data, Managers to prepare data for them, Developers to work with scripts and connections, and administrators to manage everything.
Centralized automatic updates
If your team works on Microsoft Windows, you can organize DBeaver mass updates in silent mode, without user input, using the Windows Installer command line options.
Learn more about silent install
License management
You can place the license file in the user's workspace or store it elsewhere, and specify the license path on the command line or in the DBeaver configuration file.