# Filters Filters allow you to narrow request results when programmatically interacting with StrongDM via the [CLI](https://docs.strongdm.com/references/cli) or the API. This article describes how to use filters with the [sdm admin](https://docs.strongdm.com/references/cli/admin) CLI commands, including proper syntax, usage examples, and available filter parameters and values. For information on how to use filters in [API](https://docs.strongdm.com/references/api) requests with any of StrongDM's SDKs, please consult the documentation for the specific tool you wish to use. ### Syntax and Filtering Considerations Filters are specified in `sdm admin` CLI commands with the `--filter` flag followed by the field and the value on which you want to filter. Example: ```bash sdm admin users list --filter ':' ``` Let's say, for example, that your organization has 50 users whose first name is Sam, and you want to list only those people. To do that, run the command with the filter set as follows: ```bash sdm admin users list --filter 'firstname:sam' ``` Possible filter fields and values are described in section [Filter Parameters by Entity](#filter-parameters-by-entity) and section [Potential Resource Type Values](#potential-resource-type-values). #### Wildcards The `--filter` flag accepts wildcard (`*`) values for certain fields, such as `name` and `email`. For example, you can use a filter and wildcard to list only users whose email address ends with `@strongdm.com`: ```bash sdm admin users list --filter 'email:*@strongdm.com' ``` #### Special characters Special characters must be properly escaped using quotation marks. Additionally, multi-word names in filters must be encapsulated in quotation marks. For example, `name:"Foo Bar"` is correct, and `name:Foo Bar` is not. #### Case Filters are case-insensitive. Uppercase and lowercase values return the same results. #### Terminal syntax differences The terminal programs on different operating systems use syntax that can vary slightly. For example, using the `--filter` flag requires the following syntax for most macOS or Linux terminals: ```sh --filter 'verb:"user added"' ``` Command Prompt on Windows, however, requires the following formatting for the same command: ```sh --filter "verb:\"*user added*\"" ``` In Powershell, the following formatting is needed for the same command: ```powershell --filter 'verb:"*user*added*"' ``` The examples presented throughout the documentation primarily use the first syntax example given (for macOS or Linux) for CLI command examples. If your command is not working, verify that you are following the appropriate syntax rules for your terminal program when it comes to quoting, escaping, flagging, and similar operations. #### Date/Time format Our system can parse the date (year, month, day) and time (hours, minutes, seconds) in a variety of formats. Examples of some accepted formats include the following: * `2025-01-01 00:00:00 UTC` * `01 January 2025 00:00` * `2025-01-01T12:00:00Z` When filtering based on date and time, an acceptable format must be used. It's optional to provide the time. Example: ```bash sdm audit activities --filter 'after:2025-01-01' ``` An error message is returned if you are not using a valid format: `Could not find format and will need to structure your date in a different way.` ### Usage Examples This section provides examples of various ways to use single filters and multiple filters with the `sdm admin` management commands. {% hint style="info" %} When multiple filters are provided, **all filters must match** for results to be returned. {% endhint %} #### List servers by name The following example command shows how you can apply a filter to list all servers with a name that includes the word "admin." Note the use of wildcards around "admin." ```bash $ sdm admin servers list --filter 'name:*admin*' Server ID Name Type rs-03ad1e1b240c85c1 azure-gateway - CA (admin) sshCert rs-7bb96dd41d9ac70b azure-gateway-admin ssh ``` #### Show only sshCert servers In the following example, the `type` filter is used to list SSH Certificate-type servers: ```bash $ sdm admin servers list --filter 'type:sshCert' Server ID Name Type rs-1b08901ed124e296 azure-gateway sshCert rs-2b73c2267a7e1379 azure-gateway - CA (root) sshCert rs-03ad1e1b240c85c1 azure-gateway - CA (admin) sshCert ``` {% hint style="info" %} Filters are case-insensitive. Either `type:sshCert` or `type:sshcert` returns the same results. {% endhint %} #### Use multiple filters The following example uses two filters, one for `type` and one for `name`, to list SSH Certificate-type servers that have `admin` in their name: ```bash $ sdm admin servers list --filter 'type:sshCert,name:*admin*' Server ID Name Type rs-03ad1e1b240c85c1 azure-gateway - CA (admin) sshCert ``` #### Use multiple flags for multiple filters You can also provide filters as separate flags to achieve the same results, as in the following example: ```bash $ sdm admin servers list --filter 'type:sshCert' --filter 'name:*admin*' Server ID Name Type rs-03ad1e1b240c85c1 azure-gateway - CA (admin) sshCert ``` #### Filter based on ID When `id` is used as a filter, results return *any* matching results. Because every ID is unique, it would be impossible to match more than one simultaneously if multiple `id` filters are provided. In the example shown, you can see that listing servers and filtering by `id` results in a list of all servers that have the specified IDs. ```bash $ sdm admin servers list --filter 'id:rs-1b08901ed124e296' --filter 'id:rs-2b73c2267a7e1379' --filter 'id:rs-03ad1e1b240c85c1' Server ID Name Type rs-1b08901ed124e296 azure-gateway - CA sshCert rs-2b73c2267a7e1379 azure-gateway - CA (Copy) sshCert rs-03ad1e1b240c85c1 azure-gateway - CA (admin) sshCert ``` #### Bulk operations examples You can use filters to assist with various bulk actions, such as showing all websites for a given hostname, deleting a group of resources, and so forth. This section includes some examples of such bulk operations. **Update multiple resources** You may use filters to do batch updates on multiple resources. In the following example, an Update command is used with the `--filter` and `--tags` flags to add the `env=public` [tag](https://docs.strongdm.com/references/cli/tags) to all HTTP (No Auth) type-websites: ```bash $ sdm admin websites update --filter 'type:httpnoauth' --tags 'env=public' changed 4 out of 4 matching datasources ``` To check that the `env=public` tag has been applied to the correct websites, you can filter for all websites with the type `httpnoauth`, as in the following example: ```bash $ sdm admin websites list --filter 'type:httpnoauth' Website ID Name Type Tags rs-3b34c199bef73d19 google httpNoAuth env=public rs-000000000004682d ksql control center httpNoAuth env=public rs-4d1c88780405f0ad potato httpNoAuth env=public rs-000000000004d17f support kibana httpNoAuth env=public ``` **Delete multiple resources** You can use the `--filter` flag to delete a group of the same resources that have something in common. The filter specifies what they have in common, such as an assigned tag or the resource type. {% hint style="info" %} When deleting multiple resources, you must use the additional flag `--apply` (or `--all` or `-a`) to specify that you want to delete *all* matching resources. Omitting that flag results in an error. {% endhint %} In the example shown, the `--filter` flag is used to delete all the websites that are tagged with `env=public`. ```bash $ sdm admin websites delete --filter 'tags:env=public' --apply deleted 4 datasources ``` ### JSON Filters For larger or more complex search queries, you can use a JSON file to define your list of filters. Commands that point to JSON files use the `--filter-json` flag instead of `--filter`. Example: ```bash sdm admin datasources list --filter-json ``` Let's say that you want to list a specific datasource *and* all PostgreSQL datasources that have been assigned the `region=EU` tag. Your command includes the `--filter-json` flag and the path to the JSON filter file: ```bash sdm admin datasources list --filter-json /Users/alice.glick/Documents/example.json ``` The JSON filter file includes several filter parameters and their values, as in the following example: ```json [ { "ids": [ "rs-0835300a78ea36a0" ] }, { "type": "postgres", "tags": { "region": "EU" } } ] ``` Note that the JSON-based filter is the union of filters, whose attributes are additive. In this example, results of the filter file are the union of one datasource (`id = rs-0835300a78ea36a0`) and all datasources whose type is `postgres` and contain the `region=EU` tag. ### Filters Help You can use the `--filters-help` option with any CLI command that has filters to show all possible filters and usage examples. This option enables you to see filters with proper syntax, in context, without leaving the CLI. The `--filters-help` option is supported for all CLI commands that have the `--filter` option. The output varies based on [entity type](#filter-parameters-by-entity). In the example shown, `sdm admin datasources list --filters-help` returns all possible filters that can be used to filter a list of datasources. Example: ```bash $ sdm admin datasources list --filters-help Filters: Name Example bindAddress 127.0.0.1:2022 bindInterface 127.0.0.1 discoveryEnabled true entityId ent-e1b2 hasRequest true healthy true hostname www.example.com http_subdomain internalsite id rs-e1b2 identity_enabled true identity_set_id ig-e1b2 inPeeringGroup true lockStatus locked name dev-db2 port 5432 port_override 15432 proxyClusterId n-e1b2 remote_identity_enabled true secretStoreId se-e1b2 tags k=v type postgres username admin vnmMode true ``` ### Filter Parameters by Entity Fields available to filter on vary by entity type. This section describes all possible filter parameters for the following entity types: * Access requests * Accounts (users and services) * Activities * Groups * Healthchecks * Nodes (gateways and relays) * Queries * Permissions (account resources) * Policies * Resources (clouds, clusters, datasources, servers, websites) * Roles * Workflows (including workflow approvers, workflow assignments, and workflow roles) #### Supported data types for filter values | Data type | Description | | --------- | -------------------------------------------------------------------------------------------- | | Boolean | True or false values, including `true`, `false`, `t`, `f`, `1`, and `0` | | Datetime | Series of values representing the date (year, month, day) and time (hours, minutes, seconds) | | Email | Text values that are properly formatted email addresses | | IP | Supports IPv4 address with or without port | | KVP | Key-value pair in the format `title=value` | | String | Any non-null value | | URL | Data that follows the pattern of a URL | #### Access requests | Field | Description | Value type | Usage example | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | --------------------------------------------------------------------- | | `account` | Account ID of the user requesting access to the resource | String | `sdm access requests --filter 'account:aq-e1b2'` | | `accountGrant` | Resource assigned directly to an account, giving the account the permission to connect to that resource | String | `sdm access requests --filter 'accountGrant:ag-e1b2'` | | `approver` | ID of the account that is authorized to approve or deny an access request | String | `sdm access requests --filter 'approver:a-e1b2'` | | `assigned` | Resources assigned (`true`) or unassigned (`false`) to a workflow | Boolean | `sdm access catalog --filter 'assigned:true'` | | `bindAddress` | IP address to which the resource is bound, and port, in the `127.0.0.1` to `127.255.255.254` IP address range; default is `127.0.0.1` | IP | `sdm access catalog --filter 'bindAddress:127.0.0.1:2022'` | | `bindInterface` | IP address to which the resource is bound, in the `127.0.0.1` to `127.255.255.254` IP address range; default is `127.0.0.1` | IP | `sdm access catalog --filter 'bindInterface:127.0.0.1'` | | `discoveryEnabled` | Whether resource discovery is enabled (`true`) or not | Boolean | `` sdm access catalog --filter 'discoveryEnabled:true` `` | | `entityId` | ID of the entity | String | `sdm access catalog --fi` | | `hasRequest` | Resources that users have requested to access (`true`) or not (`false`) | Boolean | `sdm access catalog --filter 'hasRequest:true'` | | `healthy` | Health status of the resource being requested to access | Boolean | `sdm access catalog --filter 'healthy:false'` | | `hostname` | Hostname of the resource; for websites, the URL of the website | URL | `sdm access catalog --filter 'hostname:www.example.com'` | | `http_subdomain` | Organization's web domain value | String | `sdm access catalog --filter 'http_subdomain:internalsite'` | | `id` | ID of the resource | String | `sdm access catalog --filter 'id:rs-e1b2'` | | `identity_enabled` | Method of authentication for the resource, either Identity Aliases (`true`) or leased credentials (`false`) | Boolean | `sdm access catalog --filter 'identity_enabled:true'` | | `identity_set_id` | ID of the Identity Set, if the resource's method of authentication is set to Identity Aliases | String | `sdm access catalog --filter 'identity_set_id:ig-e1b2'` | | `inPeeringGroup` | Resources that are attached to a peering group (`true`) or unattached to a peering group (`false`) | Boolean | `sdm access catalog --filter 'inPeeringGroup:true'` | | `lockStatus` | Lock status of the resource (`locked` or `unlocked`) | String | `sdm access catalog --filter 'lockStatus:locked'` | | `name` | Name of the resource | String | `sdm access catalog --filter 'name:dev-db2'` | | `port` | Port number | Number | `sdm access catalog --filter 'port:5432'` | | `port_override` | Port override to which the resource is bound | Number | `sdm access catalog --filter 'port_override:15432'` | | `proxyClusterID` | Proxy cluster identifier | String | `sdm access catalog --filter 'proxyClusterID:n-e1b2'` | | `request` | Requested account or resource name | String | `sdm access requests --filter 'request:redis'` | | `secretStoreId` | Secret store identifier for the resource; use `sdm admin secretstores list` to get it | String | `sdm access catalog --filter 'secretStoreId:se-e1b2'` | | `startAfter` | Date/time after the request was submitted that the resource can be accessed | Datetime | `sdm access requests --filter 'startAfter:2025-01-01T12:00:00Z'` | | `status` | Status of the request to access the resource (`pending`, `approved`, `denied`, `canceled`, or `timed out`) | String | `sdm access requests --filter 'status:"timed out"'` | | `submittedAfter` | Date/time after the request to access the resource was submitted | Datetime | `sdm access requests --filter 'submittedAfter:2025-01-01T12:00:00Z'` | | `submittedBefore` | Date/time before the request to access the resource was submitted | Datetime`excludeGroupID` | `sdm access requests --filter 'submittedBefore:2025-01-01T12:00:00Z'` | | `tags` | Resource tags assigned to the resource | KVP | `sdm access catalog --filter 'tags:k=v'` | | `target` | Resource ID of the target resource | String | `sdm access requests --filter 'target:rs-e1b2'` | | `type` | Specific type of resource (for example, `sshCert`, `redis`, and so forth) | String | `sdm access catalog --filter 'type:postgres'` | | `userAccess` | Resources available for users to request access to them | String | `sdm access catalog --filter 'userAccess:available'` | | `username` | Username to be used for authentication to the resource | String | `sdm access catalog --filter 'username:admin'` | | `vnmMode` | Resources that are configured to use Virtual Networking Mode (`true`) or not (`false`) | Boolean | `sdm access catalog --filter 'vnmMode:true'` | | `workflow` | Workflow ID of the workflow to which the resource is assigned | String | `sdm access catalog --filter 'workflow:aw-e1b2'` | #### Accounts - users and service accounts | Field | Description | Value type | Usage example | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | ---------------------------------------------------------------- | | `active` | Users who have (`true`) or have not (`false`) actively used StrongDM in the last 90 days | Boolean | `sdm admin users list --filter 'active:false'` | | `approver` | Users who have the ability to approve requests for workflows | Boolean | `sdm admin users list --filter 'approver:true'` | | `email` | User's email address | Email | `sdm admin users list --filter 'email:alice.glick@strongdm.com'` | | `excludeGroupID` | Group ID to exclude | String | `sdm admin users list --filter 'excludeGroupID:g-e1b2'` | | `firstName` | User's first name | String | `sdm admin users list --filter 'firstName:alice'` | | `fullName` | User's full name (first and last) or the service account's name | String | `sdm admin services list --filter 'fullName:*Service` | | `hasRequest` | Users who have (`true`) or have not (`false`) requested access to resources | Boolean | `sdm admin users list --filter 'hasRequest:true'` | | `hasTemporaryAccess` | Users who have temporary access to resources | Boolean | `sdm admin users list --filter 'hasTemporaryAccess:true'` | | `id` | User ID | String | `sdm admin users list --filter 'id:a-005c9fd06213dba8'` | | `inNoRoles` | Users who have no assigned role | Boolean | `sdm admin users list --filter 'inNoRoles:true'` | | `lastName` | User's last name | String | `sdm admin users list --filter 'lastName:glick'` | | `locked` | Users who are locked out or not from StrongDM | Boolean | `sdm admin users list --filter 'locked:true'` | | `managed` | Users who are managed and provisioned by StrongDM (`false`) or managed and provisioned by a third-party identity provider (`true`) such as Okta | Boolean | `sdm admin users list --filter 'managed:false'` | | `managerID` | ID of the user's manager | String | `sdm admin users lis` | | `new` | Users who have been created but not yet logged in | Boolean | `sdm admin users list --filter 'new:true'` | | `permissionLevel` | User's permission level (`admin`, `admin-token`, `auditor`, `database-admin`, `multi-team-leader`, `relay`, `service`, `suspended`, `scim-token`, or `user`) | String | `sdm admin users list --filter 'permissionLevel:database-admin'` | | `roleID` | Role ID | String | `sdm admin users list --filter 'roleID:r-e1b2'` | | `suspended` | User's status | Boolean | `sdm admin users list --filter 'suspended:true'` | | `tags` | Tags assigned to the user; supports wildcards (`*`); tag values containing commas must be inside quotes | KVP | `sdm admin users list --filter 'tags:region="useast,uswest"'` | | `type` | Type of account (`user` or `service`) | String | `sdm admin users list --filter 'type:user'` | | `workflowIDs` | Returns all accounts that are assigned as explicit approvers for any of the provided workflowIDs | String | `sdm admin users list --filter 'workflowIDs:aw-e1b2'` | #### Activities | Field | Description | Value type | Usage example | | -------------------- | --------------------------------------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------------------ | | `actor_id` | User or service account ID | String | `sdm audit activities --filter 'actor_id:a-e1b2'` | | `after` | Activities logged after the specified date and time | Datetime | `sdm audit activities --filter 'after:2025-01-01T12:00:00Z'` | | `before` | Activities logged before the specified date and time | Datetime | `sdm audit activities --filter 'before:2025-01-01T12:00:00Z'` | | `content` | Activity log contents | String | `sdm audit activities --filter 'content:user addded or something detailed happened'` | | `description` | Activity log description | String | `sdm audit activities --filter 'description:something detailed happened'` | | `id` | Activity log identifier | String | `sdm audit activities --filter 'id:at-e1b2'` | | `ip` | IP address of the user | IP | `sdm audit activities --filter 'ip:127.0.0.1'` | | `support_login_user` | Whether the user is a support login user (`true`) or not | String | `sdm audit activities --filter 'support_login_user:true'` | | `verb` | Short string that can be used to filter or group activities by the action that is being taken | String | `sdm audit activities --filter 'verb:user added'` | #### Groups | Field | Description | Value type | Usage example | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------------- | | `groupids` | ID of the group that the role is assigned to | String | `sdm admin groups list-roles --filter 'groupids:group-e1b2'` | | `groupName` | Name of the group that the role is assigned to | String | `sdm admin groups list-roles --filter 'groupName:dev' --filter 'nodeId:n-e1b2'` | | `id` | Group ID | String | `sdm admin groups list --filter 'id:group-e1b2'` | | `managed` | Groups that are managed and provisioned by StrongDM (`false`) or managed and provisioned by a third-party identity provider (`true`) such as Okta | Boolean | `sdm admin groups li` | | `name` | Group name | String | `sdm admin groups li` | | `roleid` | ID of the role assigned to the group | String | `sdm admin groups --filter 'roleid:r-e1b2'` | | `roleids` | ID(s) of the role assigned to the group | String | `sdm admin groups list-roles --filter 'roleids:r-e1b2'` | | `rolename` | Name of the role assigned to the group | String | `sdm admin groups list-roles --filter 'rolename:worker'` | | `source` | Source of the group's creation (for example, the identity provider) | String | `sdm admin groups --filter 'source:source'` | #### Healthchecks | Field | Description | Value type | Usage example | | -------------- | ------------------------------------ | ---------- | ----------------------------------------------------------- | | `healthy` | Healthy status of a node or resource | Boolean | `sdm healthchecks list --filter 'healthy:false'` | | `nodeId` | ID of the gateway or relay | String | `sdm healthchecks list --filter 'nodeId:n-e1b2'` | | `nodeName` | Name of the gateway or relay | String | `sdm healthchecks list --filter 'nodeName:sdmNode14'` | | `resourceID` | Resource ID | String | `sdm healthchecks list --filter 'resourceID:r-e1b2'` | | `resourceName` | Resource name | String | `sdm healthchecks list --filter 'resourceName:database123'` | #### Nodes - gateways and relays | Field | Description | Value type | Usage example | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------- | --------------------------------------------------------------------------------------- | | `bindaddr` | Bind address; note that this parameter is only for gateways | IP | `sdm admin nodes list gateways --filter 'bindaddr:0.0.0.0:5000'` | | `id` | ID of the gateway or relay | String | `sdm admin nodes list --filter 'id:n-123abc4d567e89fg'` | | `inPeeringGroup` | Whether the node is attached to a peering group (`true`) or not | Boolean | `sdm admin nodes list --filter 'inPeeringGroup:true'` | | `listenaddr` | IP or host address that the gateway listens on; this parameter is only for gateways, as relays do not listen for client connections | IP, URL | `sdm admin gateways --filter 'listenaddr:ec2-1-23-456-78.compute-1.amazonaws.com:5000'` | | `name` | Name of the gateway or relay | String | `sdm admin nodes list --filter 'name:docs'` | | `online` | Status of the gateway or relay | Boolean | `sdm admin nodes list --filter 'online:false'` | | `tags` | Resource tags assigned to the gateway or relay | KVP | `sdm admin nodes list --filter 'tag:env=dev'` | | `type` | Node type (`gateway` or `relay`) | String | `sdm admin nodes list --filter 'type:relay'` | #### Permissions | Field | Description | Value type | Usage example | | ------------------ | ------------------------------------------------------ | ---------- | ---------------------------------------------------------------------- | | `account_grant_id` | Account grant ID | String | `sdm audit permissions --filter 'account_grant_id:ag-e1b2'` | | `account_id` | User or service account ID | String | `sdm audit permissions --filter 'account_id:a-e1b2'` | | `granted_after` | Permissions granted after the specified date and time | Datetime | `sdm audit permissions --filter 'granted_after:2025-01-01T12:00:00Z'` | | `granted_before` | Permissions granted before the specified date and time | Datetime | `sdm audit permissions --filter 'granted_before:2025-01-01T12:00:00Z'` | | `resource_id` | Resource ID | String | `sdm audit permissions --filter 'resource_id:rs-e1b2'` | | `role_id` | Role ID | String | `sdm audit permissions --filter 'role_id:r-e1b2'` | #### Policies | Field | Description | Value type | Usage example | | ------------- | ---------------------------------- | ---------- | ------------------------------------------------------------ | | `description` | Description of a particular policy | String | `sdm admin policies list --filter 'description:description'` | | `id` | Query ID | String | `sdm admin policies --filter 'id:0asb124dsac'` | | `policy` | Policy name or ID | String | `sdm admin policies` | #### Queries | Field | Description | Value type | Usage example | | ---------------- | ------------------------------------------------------------------------------------------ | --------------- | ---------------------------------------------------------- | | `account` | Account name or email | String or email | `sdm audit queries --filter 'account:alice.glick'` | | `account_id` | Account ID | String | `sdm audit queries --filter 'account_id:a-e1b2'` | | `after` | Queries logged after the specified date and time | Datetime | `sdm audit queries --filter 'after:2025-01-01T12:00:00Z'` | | `authzAction` | Policy-based action logged for the query | String | `sdm audit queries -` | | `authzDecision` | Policy-based decision to allow or deny the query to be executed | String | `sdm audit queries --filter 'authzDecision:deny'` | | `before` | Queries logged before the specified date and time | Datetime | `sdm audit queries --filter 'before:2025-01-01T12:00:00Z'` | | `email` | User's email address | Email | `sdm audit queries --filter 'email:a@b.com'` | | `encrypted` | Encryption status of the query | Boolean | `sdm audit queries --filter 'encrypted:true'` | | `firstName` | User's first name | String | `sdm audit queries --filter 'firstName:Bob'` | | `hasAuthz` | Indicates whether or not a particular query required and received authorization via policy | Boolean | `sdm audit queries -` | | `id` | Query identifier | String | `sdm audit queries --filter 'id:0asb124dsac'` | | `lastName` | User's last name | String | `sdm audit queries --filter 'lastName:Belcher'` | | `policyId` | ID of the policy that evaluated the query | String | `sdm audit queries -` | | `query` | Query executed by the user | String | `sdm audit queries --filter 'query:select * from users'` | | `query_category` | Resource category for the query | String | `sdm audit queries --filter 'query_category:cluster'` | | `resource_id` | Resource ID | String | `sdm audit queries --filter 'resource_id:r-e1b2'` | | `resource_name` | Resource name | String | `sdm audit queries --filter 'resource_name:dev-db2'` | | `resource_type` | Resource type | String | `sdm audit queries --filter 'resource_type:postgres'` | #### Resources - clouds, clusters, datasources, servers, websites | Field | Description | Value type | Usage example | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------------------------------------------------------------------- | | `assigned` | Resources that are assigned to a workflow | Boolean | `sdm admin datasources list --filter 'assigned:true'` | | `bindAddress` | IP address to which the resource is bound, and port, in the `127.0.0.1` to `127.255.255.254` IP address range; default is `127.0.0.1` | IP | `sdm admin datasources list --filter 'bindAddress:127.0.0.1:2022'` | | `bindInterface` | IP address to which the resource is bound, in the `127.0.0.1` to `127.255.255.254` IP address range; default is `127.0.0.1` | IP | `sdm admin datasources list --filter 'bindInterface:127.0.0.1'` | | `discoveryEnabled` | Whether resource discovery is enabled for the resource (`true`) or not | Boolean | `sdm admin datasources list --filter 'discoveryEnabled:true'` | | `entityId` | Entity ID | String | `sdm admin datasources list --filter 'entityId:ent-e1b2'` | | `hasRequest` | Resources that users have requested to access | Boolean | `sdm admin servers list --filter 'hasRequest:true'` | | `healthy` | Health status of the resource | Boolean | `sdm admin datasources list --filter 'healthy:false'` | | `hostname` | Hostname of the resource; for websites, the URL of the website | URL | `sdm admin datasources list --filter 'hostname:example-host.com'` | | `httpsubdomain` | Organization's web domain value | String | `sdm admin datasources list --filter 'httpsubdomain:education-team'` | | `id` | ID of the resource | String | `sdm admin datasources list --filter 'id:rs-058a6582617b2c95'` | | `identity_enabled` | Method of authentication for the resource, either Identity Aliases (`true`) or leased credentials (`false`) | Boolean | `sdm admin servers list --filter 'identity_enabled:true'` | | `identity_set_id` | ID of the Identity Set, if the resource's method of authentication is set to Identity Aliases | String | `sdm admin servers list --filter 'identity_set_id:ig-e1b2'` | | `inPeeringGroup` | Whether the resource is attached to a peering group (`true`) or not | Boolean | `sdm admin servers list --filter 'inPeeringGroup:true'` | | `lockStatus` | Whether or not the resource is locked | String | `sdm admin datasources list --filter 'lockedStatus:locked'` | | `name` | Name of the resource | String | `sdm admin datasources list --filter 'name:ExampleResourceName'` | | `port` | Port number | Number | `sdm admin datasources list --filter 'port:27017'` | | `portoverride` | Port override to which the resource is bound | Number | `sdm admin datasources list --filter 'portoverride:1234'` | | `proxyClusterId` | Proxy cluster ID | String | `sdm admin datasources list --filter 'proxyClusterId:n-e1b2'` | | `secretStoreId` | Secret store identifier for the resource; use `sdm admin secretstores list` to get it | String | `sdm admin clouds list --filter 'secretStoreId:se-1a2b3cd45678e9f1'` | | `tags` | Resource tags assigned to the resource | KVP | `sdm admin datasources list --filter 'tag:env=dev'` | | `type` | Specific type of resource (for example, `sshCert`, `redis`, and so forth) | String | `sdm admin datasources list --filter 'type:redis'` | | `username` | Username to be used for authentication to the resource | String | `sdm admin datasources list --filter 'username:admin'` | | `vnmMode` | Whether or not the resource is using Virtual Networking Mode | Boolean | `sdm admin datasources list --filter 'vnmMode:false'` | #### Roles | Field | Description | Value type | Usage example | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ---------------------------------------------------------------- | | `assigned` | Roles assigned (`true`) or unassigned (`false`) to an account | Boolean | `sdm admin roles list --filter 'assigned:false'` | | `id` | Role ID | String | `sdm admin roles list --filter 'id:r-449dd90f60f610d7'` | | `excludeGroupId` | ID of the group to exclude | String | `sdm admin roles list --filter 'excludeGroupId:g-e1b2'`Aerospike | | `managed` | Roles (groups) that are managed and provisioned by StrongDM (`false`) or managed and provisioned by a third-party identity provider (`true`) such as Okta | Boolean | `sdm admin roles list --filter 'managed:false'` | | `name` | Name of the role | String | `sdm admin roles list --filter 'name:Docs'` | | `tags` | Tags assigned to the role | KVP | `sdm admin roles update 'Test Role' --tags 'env=dev'` | | `workflow` | Workflow ID of the workflow to which the role is assigned | String | `sdm access catalog --filter 'workflow:aw-e1b2'` | #### Workflows, workflow-approvers, workflow-assignments, workflow-roles | Field | Description | Value type | Usage example | | ----------- | --------------------------------------------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------- | | `autogrant` | Approval criteria for the workflow, either automatic approval (`true`) or manual approval (`false`) | Boolean | `sdm admin workflows list workflows --filter 'autogrant:true'` | | `enabled` | Status of workflow (enabled or disabled) | Boolean | `sdm admin workflows list workflows --filter 'enabled:true'` | | `id` | Workflow ID | String | `sdm admin workflows list workflows --filter 'id:aw-e1b2'` | | `name` | Name of workflow | String | `sdm admin workflows list workflows --filter 'name:mysql-dev'` | | `role` | Role ID | String | `sdm admin workflows list workflow-roles --filter 'role:r-e1b2'` | | `workflow` | Workflow ID | String | `sdm admin workflows list workflow-approvers --filter 'workflow:aw-e1b2'` | ### Potential Resource Type Values This section provides the accepted values for each resource type. #### Datasources This table provides the values for each datasource type. | Datasource type | Value | | ----------------------------------- | ------------------------------ | | Aerospike | `aerospike` | | Amazon ES | `amazones` | | Amazon ES IAM | `amazonesiam` | | Amazon MQ (AMQP 0.9.1) | `amazonmq-amqp-091` | | Athena | `athena` | | Aurora MySQL | `aurora-mysql` | | Aurora MySQL (IAM) | `aurora-mysql-iam` | | Aurora PostgreSQL | `aurora-postgres` | | Aurora PostgreSQL (IAM) | `aurorapostgresiam` | | Azure Database for MySQL | `azuremysql` | | Azure Database for PostgreSQL | `azurepostgres` | | Azure MySQL (Managed Identity) | `azuremysqlmanagedidentity` | | Azure PostgreSQL (Managed Identity) | `azurepostgresmanagedidentity` | | BigQuery | `bigquery` | | Cassandra | `cassandra` | | Citus | `citus` | | ClickHouse (HTTP) | `clickhouseHTTP` | | ClickHouse (MySQL) | `clickhousemysql` | | ClickHouse (TCP) | `clickhouseTCP` | | Clustrix | `clustrix` | | CockroachDB | `cockroach` | | Couchbase | `couchbaseDatabase` | | Db2i | `db2i` | | Db2 LUW | `db2luw` | | DocumentDB (replica set) | `documentdbreplicaset` | | DocumentDB (single host) | `documentdbhost` | | DocumentDB (single host IAM) | `documentdbhostiam` | | Druid | `druid` | | DynamoDB | `dynamo` | | DynamoDB (IAM) | `dynamoiam` | | ElastiCache Redis | `ecredis` | | Elasticsearch | `elastic` | | Greenplum | `greenplum` | | Maria | `maria` | | Memcached | `memcached` | | MemSQL | `memsql` | | Microsoft SQL Server | `mssql` | | Microsoft SQL Server (Azure AD) | `mssqlAzureAD` | | Microsoft SQL Server (Kerberos) | `mssqlKerberos` | | MongoDB (replica set) | `mongo-replicaset` | | MongoDB (sharded cluster) | `mongoshardedcluster` | | MongoDB (single host) | `mongoHost` | | MySQL | `mysql` | | Neptune | `neptune` | | Neptune (IAM) | `neptuneiam` | | Oracle | `oracle` | | Oracle (NNE) | `oraclenne` | | PostgreSQL | `postgres` | | PostgreSQL (mTLS) | `mTLSPostgres` | | Presto | `presto` | | RabbitMQ (AMQP 0.9.1) | `rabbitmq-amqp-091` | | RDS PostgreSQL (IAM) | `rdspostgresiam` | | Redis | `redis` | | Redis Cluster | `redisCluster` | | Redshift | `redshift` | | Redshift (IAM) | `redshift-iam` | | SingleStore | `singlestore` | | Snowflake | `snowflake` | | Sybase ASE | `sybase` | | Sybase IQ | `sybase-iq`, `sybaseiq` | | Teradata | `teradata` | | Trino | `trino` | | Vertica | `vertica` | #### Servers This table provides the values for each server type. | Server type | Value | | ---------------------------------------------- | ------------------------- | | RDP | `rdp` | | RDP (Certificate Based) | `rdp-cert`, `rdpCert` | | SSH (Public Key) | `ssh` | | SSH (Certificate Based) | `ssh-cert`, `sshCert` | | SSH (Certificate Based with User Provisioning) | `ssh-cert-user-provision` | | SSH (Customer Managed Key) | `ssh-customer-key` | | SSH (Password) | `sshPassword` | | TCP | `rawtcp` | #### Clusters This table provides the values for each cluster type. | Cluster type | Value | | --------------------------------------------- | --------------------------------------------------------------------------------- | | AKS | `aks` | | AKS (Service Account) | `aks-service`, `aksservice` | | Elastic Kubernetes Service | `amazon-eks`, `amazoneks`, `eks` | | Elastic Kubernetes Service (instance profile) | `amazon-eks-instance-profile`, `amazoneksinstanceprofile`, `eks-instance-profile` | | Google Kubernetes Engine | `gke` | | Kubernetes | `k8s`, `kubernetes` | | Kubernetes (Pod Identity) | `k8s-podidentity` | | Kubernetes (Service Account) | `k8s-service`, `k8sservice` | #### Clouds This table provides the values for each cloud type. | Cloud type | Value | | ----------------------------------------------- | ------------------------- | | AWS | `aws` | | AWS Management Console | `awsConsole` | | AWS Management Console (Static key pair) | `awsConsoleStaticKeyPair` | | Azure (Certificate) | `azurecert` | | Azure (Password) | `azure` | | GCP CLI/SDK (Service Account) | `gcp` | | GCP Web Console (Workforce Identity Federation) | `gcpConsole` | | GCP CLI/SDK (Workforce Identity Federation) | `gcpWIF` | | Snowsight (Snowflake Web Console) | `snowsight` | #### Websites This table provides the values for each website type. | Website type | Value | | ----------------- | -------------------------------------- | | Couchbase (WebUI) | `couchbaseWebUI` | | HTTP | `http`, `httpNoAuth`, `http-no-auth` | | HTTP Basic Auth | `http-basic`, `httpBasic`, `basicauth` | | HTTP Custom Auth | `http-header-auth`, `headerauth` |