Security & Access Control

Authentication

Multiple authentication methods for every deployment scenario

JWT Token Authentication

Industry-standard JSON Web Tokens with configurable expiration, refresh token support, and secure token storage.

API Key Authentication

Long-lived API keys for service accounts and automation. Support for key rotation and scoped permissions.

OAuth2 / OIDC Integration

Connect to enterprise identity providers including Azure AD, Okta, Auth0, and any OpenID Connect compliant IdP.

Password Security

Argon2 password hashing with configurable work factors. Password policies and secure reset flows.

Secure Credential Vault

Sensitive credentials stored in OS Keychain or cloud key vaults, never in config files, never in plaintext

How It Works

Credentials (database passwords, cloud tokens, API keys) are stored in secure, OS-native or cloud-native vaults
The GUI never accesses credential stores directly. All operations go through the control plane API
Credentials are never stored in the catalog database, only references
Compute nodes receive credentials on-demand via secure API with audit trails

Supported Backends

OS Keychain - Windows Credential Manager, macOS Keychain, Linux Secret Service. Perfect for desktop and development.
Azure Key Vault - Full production support. Azure AD authentication with Browser sign-in (no CLI needed), Service Principal, or Managed Identity.
AWS Secrets Manager - Under development, coming soon.
GCP Secret Manager - Under development, coming soon.

Credential Types Managed

Cloud storage (S3 access keys, Azure account keys/SAS tokens, GCS service accounts)
Database connections (SQL Server, PostgreSQL, etc.)
API tokens and bearer tokens
Identity-based authentication (Azure AD, passwordless)

Security Design Principles

Secrets never in database - catalog stores only metadata and references
GUI isolation - GUI never touches credentials directly, always through control plane HTTP API
Automatic environment detection - deploys on desktop? Uses OS Keychain. Deploys on Azure? Uses Key Vault automatically.
Identity-based auth - supports passwordless authentication via Azure AD browser sign-in, reducing static secret sprawl
Audit trail - every credential access is tracked
Modular backends - compile only the backends you need via feature flags

Credential Flow

Developer  ->  GUI  ->  Control Plane API  ->  Credential Vault (Keychain / Key Vault)
                                                        |
                                               Compute Node (on-demand)

Role-Based Access Control

Fine-grained permissions at every level of your data

Privilege Types

SELECT - Read data from tables
INSERT - Add new rows
UPDATE - Modify existing rows
DELETE - Remove rows
CREATE - Create new objects
DROP - Remove objects
ALTER - Modify object definitions
ADMIN - Full administrative access

Object Levels

Workspace-level permissions
Schema-level permissions
Table-level permissions
Column-level permissions
View-level permissions
Function-level permissions

Role Management

Custom role definitions
Role hierarchy with inheritance
Role composition (multiple roles)
Default roles for new users
Time-limited role grants
GRANT WITH GRANT OPTION

User Management

User accounts with profiles
Service accounts for automation
Group-based assignments
Workspace membership
Session management
Active session revocation

Data Security Policies

Protect sensitive data at the column and row level

Column Masking

Dynamic data masking with multiple masking types: full mask, partial mask, hash, null replacement, and custom functions.

Row-Level Security

Filter rows based on user attributes. Users only see data they're authorized to access, enforced at query time.

Policy Inheritance

Security policies cascade from parent objects. Schema policies apply to all tables; workspace policies apply to all schemas.

Dynamic Evaluation

Policies evaluated at query time using current user context. Support for user attributes, group membership, and custom claims.

Masking Functions

Built-in masking functions for common data types

FULL

Replace entire value with mask characters (****)

PARTIAL

Show first/last N characters, mask middle

EMAIL

Mask email local part, preserve domain

PHONE

Show area code, mask remaining digits

CREDIT_CARD

Show last 4 digits only

SSN

Mask social security numbers

HASH

One-way hash for consistent pseudonymization

NULL

Replace value with NULL

DATE_YEAR

Reduce date precision to year only

RANDOM

Replace with random value of same type

Audit & Compliance

Comprehensive logging for security and compliance requirements

Audit Events

All authentication events
Authorization decisions
Data access (read/write)
Schema changes (DDL)
Permission changes
Configuration changes

Event Details

Timestamp with timezone
User identity and session
Source IP address
Action and resource
Success/failure status
Request parameters

Query Logging

Full SQL query capture (optional)
Query duration and performance
Rows accessed/modified
Tables and columns touched
Data volume metrics

Compliance Support

Configurable retention policies
Tamper-evident logging
Log export capabilities
SIEM integration
Compliance reports

Encryption

Data protection at rest and in transit

Encryption at Rest

AES-256 encryption for all stored data. Support for customer-managed keys (CMK) across all cloud providers.

Encryption in Transit

TLS 1.3 for all network communications. Certificate pinning support for high-security environments.

Key Management

Integrated with cloud KMS services. Support for key rotation, versioning, and hierarchical key structures.

Field-Level Encryption

Encrypt sensitive columns with separate keys. Searchable encryption for specific use cases.

Enterprise-Grade Security