DBAs and support engineers need production query access, but shared SQL logins and vault checkout workflows produce weak evidence. Ixiea brokers database sessions with identity attribution and inline query capture.
Operator
IdP identity
Web SQL
DB client
Database
Production
No checkout
Vault not copied
Injected
Connect-time secret
Credentials injected at connect time. Every query tied to identity.
Checking out a database password proves someone retrieved a secret, not what they queried or changed. Gateway brokering injects credentials at connect time and logs every statement in the session stream, bound to the operator's identity and approval record.
Vault checkout
Proves who copied a password, not what they ran
Gateway brokering
Inject at connect · log every statement · bind to identity
Web SQL client
Browser console · no client install
Broker sessions for PostgreSQL, MySQL, Microsoft SQL Server, and Oracle through the web SQL client and native database clients where deployed. Read-only and read-write grants are separate permission objects. Production write access typically requires JIT approval with shorter TTLs.
Apply command filters for DDL and destructive DML, DROP, TRUNCATE, DELETE without WHERE, or route matches through approval. Session recordings capture query activity for review without enabling verbose database auditing on every instance.
SQL command filters
Deny wins · destructive DML blocked by default
Session metadata includes database user mapping, client IP, and approver identity. Syslog export (session_command_log, host_session_log) feeds Splunk, Sentinel, and GRC pipelines. PCI and HIPAA reviewers get query-level evidence from the gateway audit store.
Operational docs
Ready to evaluate?
Walk through gateway brokering, recording, and audit exports in a working session — or browse the illustrated product flow first.
