DBeaver Documentation


Security in DBeaver PRO

Note: This feature is available in Lite, Enterprise, Ultimate and Team editions only.

The level of security is one of the key questions for enterprises, and the DBeaver team pays a lot of attention to it. One of the best reasons to use PRO versions is to take advantage of its security tools and features, such as password protection, SSO authentication, teams and roles in Team Edition.

This article briefly describes the most important security options available in DBeaver PRO.

Master password

You can enhance security in DBeaver with the Master Password, which encrypts credentials and sensitive data using a secure storage system. This feature ensures that each user's credentials are individually protected by their own Master Password, tying the encryption specifically to their local environment. For more details, refer to the Managing Master Password article.

Changing database password

Users can change the current database password directly in DBeaver in the following databases:

  • Cockroach
  • Exasol
  • Greenplum
  • Netezza
  • Oracle
  • PostgreSQL
  • Redshift
  • Snowflake
  • SQL Server
  • Vertica.

Oracle, PostgreSQL, and Netezza allow changing an expired password in DBeaver as well.

Password protection for Projects

Master password for all your Projects

You can protect all Projects in your local workspace with a Master password.

You can set this password and store it in DBeaver password provider or use a generated password from your local password provider (for instance, OS X Keystore Integration or Windows integration provider).

Learn more about the Master password for Projects

Password for one project

You can specify a password for any project to protect all the project's configurations.

Learn more about project password

Secure authentication

You can connect to databases using secure authentication via Kerberos or GCP, AWS, and Azure cloud services.

Kerberos support

Kerberos is an authentication protocol, the default authentication technology used in Microsoft Windows.

You can connect via Kerberos using keytab, kinit, or a password. Open the connection settings, choose one of the supported databases and select Kerberos as the authentication method.

Learn more about authentication via Kerberos

SSO authentication

Users can connect to all company services using only one login and password. This is possible if you use SSO - Single Sign-On authentication service.

You do not need to manage, store, and transfer user credentials. When a user connects to the database, DBeaver opens a web browser with SSO authentication.

DBeaver supports the following SSO authentication services:

Predefined connections

Connections import

You can describe all available database connections in configuration files (in JSON format) or import from CSV or XML DBeaver.

Read-only connections

If you want to restrict users from editing connection parameters, you can protect them with passwords.

Users roles and permissions

Configuring preferences

You can customize users preferences before they run DBeaver. For example, you can set the default simple mode for all connections (to show only schemas and tables and hide all system and service objects).

How to manage preferences

Roles in Team Edition

The best way to manage user access, restrictions, and permissions is to use Team Edition.

Team Edition allows you to create users and assign them appropriate roles with predefined capabilities.

You can add Viewers and Editors to work with prepared data, Managers to prepare data for them, Developers to work with scripts and connections, and administrators to manage everything.

Learn more about Team Edition

Centralized automatic updates

If your team works on Microsoft Windows, you can organize DBeaver mass updates in silent mode, without user input, using the Windows Installer command line options.

Learn more about silent install

License management

You can place the license file in the user's workspace or store it elsewhere, and specify the license path on the command line or in the DBeaver configuration file.