Hub Connections
Hub connections are database credentials managed centrally and shared with users through groups. Users can execute workflows using these connections without seeing the credentials.
Client vs Hub Connections
| Client Connections | Hub Connections | |
|---|---|---|
| Stored | User's machine | Hub (encrypted) |
| Managed by | Individual user | Administrator |
| Credentials visible to | User | Nobody (zero-trust) |
| Use case | Personal/development | Team/production |
Creating Connections
From Admin > Connections:
- Click Create Connection
- Enter connection details (name, type, host, port, database, username, password)
- Click Test Connection to verify
- Click Save
Credentials are encrypted before storage. The encryption key is stored separately in CONNECTION_ENCRYPTION_KEY environment variable.
Assigning to Grant Groups
A connection is not accessible to users until assigned to a grant group that is linked to a user group:
- Go to Admin > Grant Groups
- Create or select a grant group
- In the Connections section, click Add Connection
- Select the connection to add
- Go to Admin > User Groups, select a user group
- Go to the Grant Groups tab and assign the grant group
Users in that user group can now use the connection in workflows.
What Users See
Users see:
- Connection name
- Connection type
- Health status
Users do not see:
- Host, port, database
- Username, password
This is intentional - users can use connections without knowing where they point.
Query Safety
When users inspect or preview data through the database data source, all queries are validated to block destructive SQL operations. Statements containing DROP, ALTER, CREATE, DELETE, UPDATE, INSERT, TRUNCATE, GRANT, REVOKE, or EXEC/EXECUTE are rejected before reaching the database. This applies to both schema inspection and data preview paths.