Database Credential Module

Section: Modules | Article 35
Audience: System Administrators
Last Updated: 2026-04-07

---

Overview

The Database Credential module allows RP-PAM to manage just-in-time database access. When a user is granted access, RP-PAM creates a temporary database user with scoped permissions on the target database engine. When the grant expires or is revoked, the temporary user is dropped and all active connections are terminated.

This eliminates shared database credentials, standing admin access, and the risk of credential sprawl across teams.

---

How It Works

Step	What Happens
1. Request	User requests database access to a resource via the portal or API
2. Approval	Approval workflow completes (if required)
3. Grant	RP-PAM connects to the target database as the admin user and creates a temporary user
4. Scope	The temporary user is granted only the permissions matching the requested role (e.g., readonly)
5. Deliver	The temporary username and password are returned to the user (encrypted, one-time view)
6. Expire/Revoke	When the grant ends, the temporary user is dropped and active sessions are killed

---

Supported Database Engines

Engine	Config Value	Versions Supported	Connection Method
PostgreSQL	postgresql	12, 13, 14, 15, 16	TCP (standard libpq)
Microsoft SQL Server	mssql	2017, 2019, 2022	TCP (TDS protocol)

---

Supported Roles

When creating a grant, you specify a role that determines what the temporary user can do:

Role	PostgreSQL Permissions	MSSQL Permissions
readonly	SELECT on all tables in target schema	db_datareader role membership
readwrite	SELECT, INSERT, UPDATE, DELETE on all tables in target schema	db_datareader + db_datawriter role membership

Note: Roles are applied at the database/schema level. You cannot grant access to individual tables through the module configuration — use database-native permissions for finer control if needed.

---

Module Configuration

Configuration JSON

{
  "moduleType": "database",
  "displayName": "PostgreSQL - Production",
  "enabled": true,
  "config": {
    "dbEngine": "postgresql",
    "host": "db-prod-01.corp.local",
    "port": 5432,
    "adminUser": "rppam_admin",
    "adminPasswordVaultKey": "vault://db-prod-admin-cred",
    "database": "appdb",
    "schema": "public",
    "tempUserPrefix": "rppam_tmp_",
    "grantTtlMinutes": 240,
    "useSsl": true,
    "sslMode": "verify-full",
    "sslCaCertPath": "/etc/rppam/certs/db-ca.pem"
  }
}

Configuration Fields

Field	Type	Required	Default	Description
dbEngine	string	Yes	—	Database engine: postgresql or mssql
host	string	Yes	—	Hostname or IP of the database server
port	integer	No	5432 (PG) / 1433 (MSSQL)	Database server port
adminUser	string	Yes	—	Admin username RP-PAM uses to create/drop temp users
adminPasswordVaultKey	string	Yes	—	Vault reference to the admin password
database	string	Yes	—	Target database name
schema	string	No	public (PG) / dbo (MSSQL)	Target schema for permission scoping
tempUserPrefix	string	No	rppam_tmp_	Prefix for generated temporary usernames
grantTtlMinutes	integer	No	240	Default grant duration in minutes (4 hours)
useSsl	boolean	No	true	Require SSL/TLS for database connections
sslMode	string	No	verify-full	PostgreSQL SSL mode: require, verify-ca, verify-full
sslCaCertPath	string	No	—	Path to the CA certificate for SSL verification

MSSQL-Specific Example

{
  "moduleType": "database",
  "displayName": "MSSQL - Finance",
  "enabled": true,
  "config": {
    "dbEngine": "mssql",
    "host": "sql-fin-01.corp.local",
    "port": 1433,
    "adminUser": "rppam_admin",
    "adminPasswordVaultKey": "vault://sql-fin-admin-cred",
    "database": "FinanceDB",
    "schema": "dbo",
    "tempUserPrefix": "rppam_tmp_",
    "grantTtlMinutes": 120,
    "useSsl": true
  }
}

---

Enabling the Module

Via REST API — PowerShell

$body = @{
    moduleType  = "database"
    displayName = "PostgreSQL - Production"
    enabled     = $true
    config      = @{
        dbEngine             = "postgresql"
        host                 = "db-prod-01.corp.local"
        port                 = 5432
        adminUser            = "rppam_admin"
        adminPasswordVaultKey = "vault://db-prod-admin-cred"
        database             = "appdb"
        tempUserPrefix       = "rppam_tmp_"
    }
} | ConvertTo-Json -Depth 3

Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/modules" `
    -Method POST `
    -Headers @{ Authorization = "Bearer $adminJwt" } `
    -ContentType "application/json" `
    -Body $body

Via REST API — curl

curl -s -X POST "https://rppam.corp.local:7101/api/v1/modules" \
  -H "Authorization: Bearer $ADMIN_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "moduleType": "database",
    "displayName": "PostgreSQL - Production",
    "enabled": true,
    "config": {
      "dbEngine": "postgresql",
      "host": "db-prod-01.corp.local",
      "port": 5432,
      "adminUser": "rppam_admin",
      "adminPasswordVaultKey": "vault://db-prod-admin-cred",
      "database": "appdb",
      "tempUserPrefix": "rppam_tmp_"
    }
  }' | jq .

Verify the Module Is Active

PowerShell:

Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/modules" `
    -Headers @{ Authorization = "Bearer $adminJwt" }

curl:

curl -s "https://rppam.corp.local:7101/api/v1/modules" \
  -H "Authorization: Bearer $ADMIN_JWT" | jq '.[] | select(.moduleType == "database")'

Look for "status": "healthy". If the status is "error", verify network connectivity and that the admin user has permission to create and drop users on the target database.

---

How Grants Work

Grant (Access Approved)

When a user receives an approved database grant:

1. RP-PAM connects to the target database as the admin user.
2. A temporary user is created with a generated name (e.g., rppam_tmp_a7f3b2c1) and a strong random password.
3. The requested role permissions are applied:
4. PostgreSQL readonly: GRANT SELECT ON ALL TABLES IN SCHEMA public TO rppam_tmp_a7f3b2c1;
5. PostgreSQL readwrite: GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO rppam_tmp_a7f3b2c1;
6. MSSQL readonly: User added to db_datareader role
7. MSSQL readwrite: User added to db_datareader and db_datawriter roles
8. The credentials are encrypted and returned to the user.
9. The grant is recorded in the audit log.

The user receives: - The temporary username - The temporary password (one-time view) - The host, port, and database name - The grant expiry time

Using the Grant

PostgreSQL:

psql -h db-prod-01.corp.local -U rppam_tmp_a7f3b2c1 -d appdb

MSSQL (sqlcmd):

sqlcmd -S sql-fin-01.corp.local -U rppam_tmp_a7f3b2c1 -P '<password>' -d FinanceDB

MSSQL (PowerShell with SqlServer module):

Invoke-Sqlcmd -ServerInstance "sql-fin-01.corp.local" `
    -Database "FinanceDB" `
    -Username "rppam_tmp_a7f3b2c1" `
    -Password "<password>" `
    -Query "SELECT TOP 10 * FROM dbo.Transactions"

Revoke (Grant Expired or Manually Revoked)

When a grant expires or an administrator revokes it:

1. RP-PAM connects to the target database as the admin user.
2. All active sessions for the temporary user are terminated.
3. PostgreSQL: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = 'rppam_tmp_a7f3b2c1';
4. MSSQL: Sessions are killed via KILL <spid> for each active connection.
5. The temporary user is dropped from the database.
6. The revocation is recorded in the audit log.

Manual revoke via PowerShell:

Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/grants/$grantId/revoke" `
    -Method POST `
    -Headers @{ Authorization = "Bearer $adminJwt" }

Manual revoke via curl:

curl -s -X POST "https://rppam.corp.local:7101/api/v1/grants/$GRANT_ID/revoke" \
  -H "Authorization: Bearer $ADMIN_JWT" | jq .

---

Troubleshooting

Problem	Cause	Solution
Module status shows "error"	Cannot connect to database	Verify host, port, and admin credentials; check firewall rules
"Permission denied for schema"	Admin user lacks required privileges	Grant CREATE USER / CREATEROLE (PG) or securityadmin (MSSQL) to the admin user
Temp user not dropped on revoke	Database unreachable at revoke time	RP-PAM retries automatically; check connectivity; drop orphaned users manually
"SSL connection required"	useSsl is false but server requires SSL	Set useSsl: true in module config
User cannot connect with temp credentials	Network or firewall issue	Verify the user's machine can reach the database host and port
"Login failed" on MSSQL	Mixed mode authentication not enabled	Enable SQL Server and Windows Authentication mode in MSSQL

---

Next Steps

• SSH Key Manager Module — Manage just-in-time SSH access
• Active Directory Module — Manage AD group membership grants
• Submitting Access Requests — How users request access

---

RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.