Administration

User Management

Control who has access to your DB Audit organization with role-based access control, SSO integration, and granular permissions.

Roles & Permissions

DB Audit uses role-based access control (RBAC) to manage what users can see and do. Assign roles based on job function to follow the principle of least privilege.

Owner

Full access to all features, billing, and organization settings. Can delete the organization.

  • All permissions
  • Manage billing
  • Delete organization

Admin

Manage users, databases, policies, and integrations. Cannot access billing or delete the organization.

  • Manage users
  • Manage databases
  • Manage policies
  • Configure integrations
  • View all data

Analyst

View and investigate events, create reports, and manage alerts. Cannot modify configurations.

  • View events
  • Create reports
  • Manage own alerts
  • Export data
  • View policies

Viewer

Read-only access to dashboards and events. Ideal for compliance auditors.

  • View dashboards
  • View events
  • View reports

Teams

Organize users into teams to manage database access at scale. Teams can be scoped to specific databases using patterns.

Database Scoping

Restrict team access to specific databases using wildcard patterns (e.g., db_prod_*).

Default Roles

Set a default role for team members. Individual users can have elevated permissions.

SSO Integration

Auto-assign users to teams based on IdP groups via SAML or OIDC claims.

# Create a team
curl -X POST "https://api.dbaudit.ai/v1/teams" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Security Operations",
    "description": "SOC team for incident response",
    "database_access": ["db_prod_*", "db_staging_*"],
    "default_role": "analyst"
  }'

Authentication Methods

Email & Password

Standard authentication with email verification and password requirements.

  • Email verification required
  • Configurable password policy
  • Password reset via email

SSO (SAML 2.0)

Enterprise single sign-on with SAML identity providers.

  • Okta, Azure AD, OneLogin, Google Workspace
  • Just-in-time provisioning
  • Automatic role mapping

SSO (OIDC)

OpenID Connect integration for modern identity providers.

  • Auth0, Keycloak, custom providers
  • OAuth 2.0 flow
  • Custom claim mapping

LDAP / Active Directory

Direct bind authentication against on-premise directory services. Ideal for air-gapped environments.

  • LDAP and LDAPS (port 636) support
  • Active Directory with nested group resolution
  • Works fully offline — no cloud IdP required

API Keys

Programmatic access for integrations and automation.

  • Scoped permissions
  • Expiration dates
  • Usage tracking

Multi-Factor Authentication

Protect accounts with MFA. Admins can enforce MFA organization-wide for compliance.

Authenticator Apps

Google Authenticator, Authy, 1Password, and any TOTP-compatible app.

Security Keys

WebAuthn/FIDO2 support for YubiKey and other hardware tokens.

Recovery Codes

One-time backup codes for account recovery if MFA device is lost.

SSO Configuration (SAML)

Configure SAML 2.0 SSO to allow users to authenticate with your identity provider. Supports automatic user provisioning and role mapping.

Enterprise Feature

SSO is available on Enterprise plans. Contact sales to enable SSO for your organization.

# SAML SSO Configuration (Admin Dashboard)
{
  "sso_provider": "saml",
  "entity_id": "https://dbaudit.ai/saml/your-org",
  "acs_url": "https://api.dbaudit.ai/auth/saml/callback",
  "idp_metadata_url": "https://your-idp.com/metadata.xml",
  "attribute_mapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
  },
  "role_mapping": {
    "DBaudit-Admins": "admin",
    "DBaudit-Analysts": "analyst",
    "DBaudit-Viewers": "viewer"
  },
  "jit_provisioning": true,
  "enforce_sso": false
}

LDAP / Active Directory

For on-premise and air-gapped deployments, DB Audit supports direct LDAP/Active Directory authentication. This allows users to log in with their corporate credentials without requiring any cloud-based identity provider.

LDAP & LDAPS

Supports LDAP (port 389) and secure LDAPS (port 636) with TLS. Always use LDAPS in production.

Group-Based Roles

Map Active Directory groups to DB Audit roles automatically, including nested group resolution.

Fully Offline

Works entirely within your network. No internet connectivity required — ideal for air-gapped environments.

# LDAP / Active Directory Configuration
{
  "auth_provider": "ldap",
  "ldap": {
    "host": "ldap.internal.company.com",
    "port": 636,
    "use_ssl": true,
    "bind_dn": "CN=dbaudit-svc,OU=Service Accounts,DC=company,DC=com",
    "bind_password": "${LDAP_BIND_PASSWORD}",
    "base_dn": "OU=Users,DC=company,DC=com",
    "user_filter": "(sAMAccountName={username})",
    "group_filter": "(member={user_dn})",
    "attributes": {
      "username": "sAMAccountName",
      "email": "mail",
      "display_name": "displayName",
      "groups": "memberOf"
    },
    "group_mapping": {
      "CN=DBaudit-Admins,OU=Groups,DC=company,DC=com": "admin",
      "CN=DBaudit-Analysts,OU=Groups,DC=company,DC=com": "analyst",
      "CN=DBaudit-Viewers,OU=Groups,DC=company,DC=com": "viewer"
    },
    "connection_timeout": "10s",
    "request_timeout": "30s"
  }
}

ADFS SAML Configuration (On-Premise IdP)

For organizations using Active Directory Federation Services (ADFS), DB Audit supports SAML 2.0 SSO with ADFS as the identity provider. This keeps authentication entirely on-premise.

Air-Gapped Compatible

ADFS SAML authentication works fully offline with on-premise ADFS servers. No cloud connectivity needed.

# ADFS SAML Configuration (On-Premise IdP)
{
  "sso_provider": "saml",
  "entity_id": "https://dbaudit.internal.company.com/saml",
  "acs_url": "https://dbaudit.internal.company.com/auth/saml/callback",
  "idp_metadata_url": "https://adfs.company.com/FederationMetadata/2007-06/FederationMetadata.xml",
  "attribute_mapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "groups": "http://schemas.xmlsoap.org/claims/Group"
  },
  "role_mapping": {
    "DBaudit-Admins": "admin",
    "DBaudit-Analysts": "analyst",
    "DBaudit-Viewers": "viewer"
  },
  "jit_provisioning": true,
  "enforce_sso": true
}

MFA Works Offline

TOTP-based MFA (Google Authenticator, Authy, etc.) and hardware security keys (YubiKey) work entirely offline. No internet connection is required for multi-factor authentication in air-gapped environments.

API Keys

Create API keys for programmatic access. Keys can be scoped to specific permissions and restricted by IP address.

Available Scopes

events:read Read audit events
events:export Export events to files
policies:read View audit policies
policies:write Create and modify policies
databases:read View database configurations
databases:write Add and configure databases
users:read View user list
users:write Manage users and roles
alerts:read View alert configurations
alerts:write Configure alert rules
reports:read View and download reports
reports:write Generate and schedule reports 
# Create an API key
curl -X POST "https://api.dbaudit.ai/v1/api-keys" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI/CD Integration",
    "scopes": ["events:read", "policies:read"],
    "expires_at": "2026-01-15T00:00:00Z",
    "allowed_ips": ["10.0.0.0/8"]
  }'

# Response (key shown only once)
{
  "id": "key_xyz789",
  "name": "CI/CD Integration",
  "key": "dbaudit_live_abc123xyz...",
  "scopes": ["events:read", "policies:read"],
  "created_at": "2025-01-15T10:00:00Z",
  "expires_at": "2026-01-15T00:00:00Z"
}

Managing Users via API

Invite a User

# Invite a new user
curl -X POST "https://api.dbaudit.ai/v1/users/invite" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "analyst@company.com",
    "role": "analyst",
    "teams": ["security-team"],
    "send_email": true
  }'

# Response
{
  "id": "usr_abc123",
  "email": "analyst@company.com",
  "role": "analyst",
  "status": "pending",
  "invite_expires_at": "2025-01-22T10:00:00Z"
}

List Users

# List all users in the organization
curl -X GET "https://api.dbaudit.ai/v1/users" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Response
{
  "users": [
    {
      "id": "usr_owner1",
      "email": "admin@company.com",
      "name": "John Admin",
      "role": "owner",
      "status": "active",
      "last_login": "2025-01-15T09:30:00Z",
      "mfa_enabled": true
    },
    {
      "id": "usr_abc123",
      "email": "analyst@company.com",
      "name": "Jane Analyst",
      "role": "analyst",
      "status": "active",
      "teams": ["security-team"],
      "last_login": "2025-01-14T14:22:00Z",
      "mfa_enabled": true
    }
  ],
  "pagination": { "total": 12, "page": 1 }
}

Update User Role

# Update user role
curl -X PATCH "https://api.dbaudit.ai/v1/users/usr_abc123" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "role": "admin"
  }'

User Activity Audit Log

All user actions in DB Audit are logged for compliance and security. View who made changes, when, and from where.

Action Description
user.login User logged in (includes IP, device, location)
user.invited New user was invited to the organization
user.role_changed User's role was modified
user.removed User was removed from the organization
policy.created Audit policy was created
database.added New database connection was configured
api_key.created New API key was generated

Next Steps

API Authentication Guide
Audit Policies