Filters

Filters allow you to narrow request results when programmatically interacting with StrongDM via the CLI or the API. This article describes how to use filters with the sdm admin CLI commands, including proper syntax, usage examples, and available filter parameters and values.

For information on how to use filters in API requests with any of StrongDM's SDKs, please consult the documentation for the specific tool you wish to use.

Syntax and Filtering Considerations

Filters are specified in sdm admin CLI commands with the --filter flag followed by the field and the value on which you want to filter.

Example:

sdm admin users list --filter '<FIELD>:<VALUE>'

Let's say, for example, that your organization has 50 users whose first name is Sam, and you want to list only those people. To do that, run the command with the filter set as follows:

sdm admin users list --filter 'firstname:sam'

Possible filter fields and values are described in section Filter Parameters by Entity and section Potential Resource Type Values.

Wildcards

The --filter flag accepts wildcard (*) values for certain fields, such as name and email. For example, you can use a filter and wildcard to list only users whose email address ends with @strongdm.com:

sdm admin users list --filter 'email:*@strongdm.com'

Special characters

Special characters must be properly escaped using quotation marks. Additionally, multi-word names in filters must be encapsulated in quotation marks. For example, name:"Foo Bar" is correct, and name:Foo Bar is not.

Case

Filters are case-insensitive. Uppercase and lowercase values return the same results.

Terminal syntax differences

The terminal programs on different operating systems use syntax that can vary slightly. For example, using the --filter flag requires the following syntax for most macOS or Linux terminals:

--filter 'verb:"user added"'

Command Prompt on Windows, however, requires the following formatting for the same command:

--filter "verb:\"*user added*\""

In Powershell, the following formatting is needed for the same command:

--filter 'verb:"*user*added*"'

The examples presented throughout the documentation primarily use the first syntax example given (for macOS or Linux) for CLI command examples. If your command is not working, verify that you are following the appropriate syntax rules for your terminal program when it comes to quoting, escaping, flagging, and similar operations.

Date/Time format

Our system can parse the date (year, month, day) and time (hours, minutes, seconds) in a variety of formats. Examples of some accepted formats include the following:

2025-01-01 00:00:00 UTC
01 January 2025 00:00
2025-01-01T12:00:00Z

When filtering based on date and time, an acceptable format must be used. It's optional to provide the time.

Example:

sdm audit activities --filter 'after:2025-01-01'

An error message is returned if you are not using a valid format: Could not find format and will need to structure your date in a different way.

Usage Examples

This section provides examples of various ways to use single filters and multiple filters with the sdm admin management commands.

When multiple filters are provided, all filters must match for results to be returned.

List servers by name

The following example command shows how you can apply a filter to list all servers with a name that includes the word "admin." Note the use of wildcards around "admin."

$ sdm admin servers list --filter 'name:*admin*'
Server ID               Name                           Type
rs-03ad1e1b240c85c1     azure-gateway - CA (admin)     sshCert
rs-7bb96dd41d9ac70b     azure-gateway-admin            ssh

Show only sshCert servers

In the following example, the type filter is used to list SSH Certificate-type servers:

$ sdm admin servers list --filter 'type:sshCert'
Server ID               Name                           Type
rs-1b08901ed124e296     azure-gateway                  sshCert
rs-2b73c2267a7e1379     azure-gateway - CA (root)      sshCert
rs-03ad1e1b240c85c1     azure-gateway - CA (admin)     sshCert

Filters are case-insensitive. Either type:sshCert or type:sshcert returns the same results.

Use multiple filters

The following example uses two filters, one for type and one for name, to list SSH Certificate-type servers that have admin in their name:

$ sdm admin servers list --filter 'type:sshCert,name:*admin*'
Server ID               Name                           Type
rs-03ad1e1b240c85c1     azure-gateway - CA (admin)     sshCert

Use multiple flags for multiple filters

You can also provide filters as separate flags to achieve the same results, as in the following example:

$ sdm admin servers list --filter 'type:sshCert' --filter 'name:*admin*'
Server ID               Name                           Type
rs-03ad1e1b240c85c1     azure-gateway - CA (admin)     sshCert

Filter based on ID

When id is used as a filter, results return any matching results. Because every ID is unique, it would be impossible to match more than one simultaneously if multiple id filters are provided.

In the example shown, you can see that listing servers and filtering by id results in a list of all servers that have the specified IDs.

$ sdm admin servers list --filter 'id:rs-1b08901ed124e296' --filter 'id:rs-2b73c2267a7e1379' --filter 'id:rs-03ad1e1b240c85c1'
Server ID               Name                           Type
rs-1b08901ed124e296     azure-gateway - CA             sshCert
rs-2b73c2267a7e1379     azure-gateway - CA (Copy)      sshCert
rs-03ad1e1b240c85c1     azure-gateway - CA (admin)     sshCert

Bulk operations examples

You can use filters to assist with various bulk actions, such as showing all websites for a given hostname, deleting a group of resources, and so forth. This section includes some examples of such bulk operations.

Update multiple resources

You may use filters to do batch updates on multiple resources.

In the following example, an Update command is used with the --filter and --tags flags to add the env=public tag to all HTTP (No Auth) type-websites:

$ sdm admin websites update --filter 'type:httpnoauth' --tags 'env=public'
changed 4 out of 4 matching datasources

To check that the env=public tag has been applied to the correct websites, you can filter for all websites with the type httpnoauth, as in the following example:

$ sdm admin websites list --filter 'type:httpnoauth'
Website ID              Name                    Type           Tags
rs-3b34c199bef73d19     google                  httpNoAuth     env=public
rs-000000000004682d     ksql control center     httpNoAuth     env=public
rs-4d1c88780405f0ad     potato                  httpNoAuth     env=public
rs-000000000004d17f     support kibana          httpNoAuth     env=public

Delete multiple resources

You can use the --filter flag to delete a group of the same resources that have something in common. The filter specifies what they have in common, such as an assigned tag or the resource type.

When deleting multiple resources, you must use the additional flag --apply (or --all or -a) to specify that you want to delete all matching resources. Omitting that flag results in an error.

In the example shown, the --filter flag is used to delete all the websites that are tagged with env=public.

$ sdm admin websites delete --filter 'tags:env=public' --apply
deleted 4 datasources

JSON Filters

For larger or more complex search queries, you can use a JSON file to define your list of filters. Commands that point to JSON files use the --filter-json flag instead of --filter.

Example:

sdm admin datasources list --filter-json <PATH_TO_JSON_FILE>

Let's say that you want to list a specific datasource and all PostgreSQL datasources that have been assigned the region=EU tag. Your command includes the --filter-json flag and the path to the JSON filter file:

sdm admin datasources list --filter-json /Users/alice.glick/Documents/example.json

The JSON filter file includes several filter parameters and their values, as in the following example:

[
    {
        "ids": [
            "rs-0835300a78ea36a0"
        ]
    },
    {
        "type": "postgres",
        "tags": {
            "region": "EU"
        }
    }
]

Note that the JSON-based filter is the union of filters, whose attributes are additive. In this example, results of the filter file are the union of one datasource (id = rs-0835300a78ea36a0) and all datasources whose type is postgres and contain the region=EU tag.

Filters Help

You can use the --filters-help option with any CLI command that has filters to show all possible filters and usage examples. This option enables you to see filters with proper syntax, in context, without leaving the CLI. The --filters-help option is supported for all CLI commands that have the --filter option.

The output varies based on entity type. In the example shown, sdm admin datasources list --filters-help returns all possible filters that can be used to filter a list of datasources.

Example:

$ sdm admin datasources list --filters-help
Filters:
Name                        Example
bindAddress                 127.0.0.1:2022
bindInterface               127.0.0.1
discoveryEnabled            true
entityId                    ent-e1b2
hasRequest                  true
healthy                     true
hostname                    www.example.com
http_subdomain              internalsite
id                          rs-e1b2
identity_enabled            true
identity_set_id             ig-e1b2
inPeeringGroup              true
lockStatus                  locked
name                        dev-db2
port                        5432
port_override               15432
proxyClusterId              n-e1b2
remote_identity_enabled     true
secretStoreId               se-e1b2
tags                        k=v
type                        postgres
username                    admin
vnmMode                     true

Filter Parameters by Entity

Fields available to filter on vary by entity type. This section describes all possible filter parameters for the following entity types:

Access requests
Accounts (users and services)
Activities
Groups
Healthchecks
Nodes (gateways and relays)
Queries
Permissions (account resources)
Policies
Resources (clouds, clusters, datasources, servers, websites)
Roles
Workflows (including workflow approvers, workflow assignments, and workflow roles)

Supported data types for filter values

Data type

Description

Boolean

True or false values, including true, false, t, f, 1, and 0

Datetime

Series of values representing the date (year, month, day) and time (hours, minutes, seconds)

Text values that are properly formatted email addresses

Supports IPv4 address with or without port

KVP

Key-value pair in the format title=value

String

Any non-null value

URL

Data that follows the pattern of a URL

Access requests

Field

Description

Value type

Usage example

account

Account ID of the user requesting access to the resource

String

sdm access requests --filter 'account:aq-e1b2'

accountGrant

Resource assigned directly to an account, giving the account the permission to connect to that resource

String

sdm access requests --filter 'accountGrant:ag-e1b2'

approver

ID of the account that is authorized to approve or deny an access request

String

sdm access requests --filter 'approver:a-e1b2'

assigned

Resources assigned (true) or unassigned (false) to a workflow

Boolean

sdm access catalog --filter 'assigned:true'

bindAddress

IP address to which the resource is bound, and port, in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1

sdm access catalog --filter 'bindAddress:127.0.0.1:2022'

bindInterface

IP address to which the resource is bound, in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1

sdm access catalog --filter 'bindInterface:127.0.0.1'

discoveryEnabled

Whether resource discovery is enabled (true) or not

Boolean

sdm access catalog --filter 'discoveryEnabled:true`

entityId

ID of the entity

String

sdm access catalog --fi

hasRequest

Resources that users have requested to access (true) or not (false)

Boolean

sdm access catalog --filter 'hasRequest:true'

healthy

Health status of the resource being requested to access

Boolean

sdm access catalog --filter 'healthy:false'

hostname

Hostname of the resource; for websites, the URL of the website

URL

sdm access catalog --filter 'hostname:www.example.com'

http_subdomain

Organization's web domain value

String

sdm access catalog --filter 'http_subdomain:internalsite'

id

ID of the resource

String

sdm access catalog --filter 'id:rs-e1b2'

identity_enabled

Method of authentication for the resource, either Identity Aliases (true) or leased credentials (false)

Boolean

sdm access catalog --filter 'identity_enabled:true'

identity_set_id

ID of the Identity Set, if the resource's method of authentication is set to Identity Aliases

String

sdm access catalog --filter 'identity_set_id:ig-e1b2'

inPeeringGroup

Resources that are attached to a peering group (true) or unattached to a peering group (false)

Boolean

sdm access catalog --filter 'inPeeringGroup:true'

lockStatus

Lock status of the resource (locked or unlocked)

String

sdm access catalog --filter 'lockStatus:locked'

name

Name of the resource

String

sdm access catalog --filter 'name:dev-db2'

port

Port number

Number

sdm access catalog --filter 'port:5432'

port_override

Port override to which the resource is bound

Number

sdm access catalog --filter 'port_override:15432'

proxyClusterID

Proxy cluster identifier

String

sdm access catalog --filter 'proxyClusterID:n-e1b2'

request

Requested account or resource name

String

sdm access requests --filter 'request:redis'

secretStoreId

Secret store identifier for the resource; use sdm admin secretstores list to get it

String

sdm access catalog --filter 'secretStoreId:se-e1b2'

startAfter

Date/time after the request was submitted that the resource can be accessed

Datetime

sdm access requests --filter 'startAfter:2025-01-01T12:00:00Z'

status

Status of the request to access the resource (pending, approved, denied, canceled, or timed out)

String

sdm access requests --filter 'status:"timed out"'

submittedAfter

Date/time after the request to access the resource was submitted

Datetime

sdm access requests --filter 'submittedAfter:2025-01-01T12:00:00Z'

submittedBefore

Date/time before the request to access the resource was submitted

DatetimeexcludeGroupID

sdm access requests --filter 'submittedBefore:2025-01-01T12:00:00Z'

tags

Resource tags assigned to the resource

KVP

sdm access catalog --filter 'tags:k=v'

target

Resource ID of the target resource

String

sdm access requests --filter 'target:rs-e1b2'

type

Specific type of resource (for example, sshCert, redis, and so forth)

String

sdm access catalog --filter 'type:postgres'

userAccess

Resources available for users to request access to them

String

sdm access catalog --filter 'userAccess:available'

username

Username to be used for authentication to the resource

String

sdm access catalog --filter 'username:admin'

vnmMode

Resources that are configured to use Virtual Networking Mode (true) or not (false)

Boolean

sdm access catalog --filter 'vnmMode:true'

workflow

Workflow ID of the workflow to which the resource is assigned

String

sdm access catalog --filter 'workflow:aw-e1b2'

Accounts - users and service accounts

Field

Description

Value type

Usage example

active

Users who have (true) or have not (false) actively used StrongDM in the last 90 days

Boolean

sdm admin users list --filter 'active:false'

approver

Users who have the ability to approve requests for workflows

Boolean

sdm admin users list --filter 'approver:true'

email

User's email address

sdm admin users list --filter 'email:[email protected]'

excludeGroupID

Group ID to exclude

String

sdm admin users list --filter 'excludeGroupID:g-e1b2'

firstName

User's first name

String

sdm admin users list --filter 'firstName:alice'

fullName

User's full name (first and last) or the service account's name

String

sdm admin services list --filter 'fullName:*Service

hasRequest

Users who have (true) or have not (false) requested access to resources

Boolean

sdm admin users list --filter 'hasRequest:true'

hasTemporaryAccess

Users who have temporary access to resources

Boolean

sdm admin users list --filter 'hasTemporaryAccess:true'

id

User ID

String

sdm admin users list --filter 'id:a-005c9fd06213dba8'

inNoRoles

Users who have no assigned role

Boolean

sdm admin users list --filter 'inNoRoles:true'

lastName

User's last name

String

sdm admin users list --filter 'lastName:glick'

locked

Users who are locked out or not from StrongDM

Boolean

sdm admin users list --filter 'locked:true'

managed

Users who are managed and provisioned by StrongDM (false) or managed and provisioned by a third-party identity provider (true) such as Okta

Boolean

sdm admin users list --filter 'managed:false'

managerID

ID of the user's manager

String

sdm admin users lis

new

Users who have been created but not yet logged in

Boolean

sdm admin users list --filter 'new:true'

permissionLevel

User's permission level (admin, admin-token, auditor, database-admin, multi-team-leader, relay, service, suspended, scim-token, or user)

String

sdm admin users list --filter 'permissionLevel:database-admin'

roleID

Role ID

String

sdm admin users list --filter 'roleID:r-e1b2'

suspended

User's status

Boolean

sdm admin users list --filter 'suspended:true'

tags

Tags assigned to the user; supports wildcards (*); tag values containing commas must be inside quotes

KVP

sdm admin users list --filter 'tags:region="useast,uswest"'

type

Type of account (user or service)

String

sdm admin users list --filter 'type:user'

workflowIDs

Returns all accounts that are assigned as explicit approvers for any of the provided workflowIDs

String

sdm admin users list --filter 'workflowIDs:aw-e1b2'

Activities

Field

Description

Value type

Usage example

actor_id

User or service account ID

String

sdm audit activities --filter 'actor_id:a-e1b2'

after

Activities logged after the specified date and time

Datetime

sdm audit activities --filter 'after:2025-01-01T12:00:00Z'

before

Activities logged before the specified date and time

Datetime

sdm audit activities --filter 'before:2025-01-01T12:00:00Z'

content

Activity log contents

String

sdm audit activities --filter 'content:user addded or something detailed happened'

description

Activity log description

String

sdm audit activities --filter 'description:something detailed happened'

id

Activity log identifier

String

sdm audit activities --filter 'id:at-e1b2'

ip

IP address of the user

sdm audit activities --filter 'ip:127.0.0.1'

support_login_user

Whether the user is a support login user (true) or not

String

sdm audit activities --filter 'support_login_user:true'

verb

Short string that can be used to filter or group activities by the action that is being taken

String

sdm audit activities --filter 'verb:user added'

Groups

Field

Description

Value type

Usage example

groupids

ID of the group that the role is assigned to

String

sdm admin groups list-roles --filter 'groupids:group-e1b2'

groupName

Name of the group that the role is assigned to

String

sdm admin groups list-roles --filter 'groupName:dev' --filter 'nodeId:n-e1b2'

id

Group ID

String

sdm admin groups list --filter 'id:group-e1b2'

managed

Groups that are managed and provisioned by StrongDM (false) or managed and provisioned by a third-party identity provider (true) such as Okta

Boolean

sdm admin groups li

name

Group name

String

sdm admin groups li

roleid

ID of the role assigned to the group

String

sdm admin groups --filter 'roleid:r-e1b2'

roleids

ID(s) of the role assigned to the group

String

sdm admin groups list-roles --filter 'roleids:r-e1b2'

rolename

Name of the role assigned to the group

String

sdm admin groups list-roles --filter 'rolename:worker'

source

Source of the group's creation (for example, the identity provider)

String

sdm admin groups --filter 'source:source'

Healthchecks

Field

Description

Value type

Usage example

healthy

Healthy status of a node or resource

Boolean

sdm healthchecks list --filter 'healthy:false'

nodeId

ID of the gateway or relay

String

sdm healthchecks list --filter 'nodeId:n-e1b2'

nodeName

Name of the gateway or relay

String

sdm healthchecks list --filter 'nodeName:sdmNode14'

resourceID

Resource ID

String

sdm healthchecks list --filter 'resourceID:r-e1b2'

resourceName

Resource name

String

sdm healthchecks list --filter 'resourceName:database123'

Nodes - gateways and relays

Field

Description

Value type

Usage example

bindaddr

Bind address; note that this parameter is only for gateways

sdm admin nodes list gateways --filter 'bindaddr:0.0.0.0:5000'

id

ID of the gateway or relay

String

sdm admin nodes list --filter 'id:n-123abc4d567e89fg'

inPeeringGroup

Whether the node is attached to a peering group (true) or not

Boolean

sdm admin nodes list --filter 'inPeeringGroup:true'

listenaddr

IP or host address that the gateway listens on; this parameter is only for gateways, as relays do not listen for client connections

IP, URL

sdm admin gateways --filter 'listenaddr:ec2-1-23-456-78.compute-1.amazonaws.com:5000'

name

Name of the gateway or relay

String

sdm admin nodes list --filter 'name:docs'

online

Status of the gateway or relay

Boolean

sdm admin nodes list --filter 'online:false'

tags

Resource tags assigned to the gateway or relay

KVP

sdm admin nodes list --filter 'tag:env=dev'

type

Node type (gateway or relay)

String

sdm admin nodes list --filter 'type:relay'

Permissions

Field

Description

Value type

Usage example

account_grant_id

Account grant ID

String

sdm audit permissions --filter 'account_grant_id:ag-e1b2'

account_id

User or service account ID

String

sdm audit permissions --filter 'account_id:a-e1b2'

granted_after

Permissions granted after the specified date and time

Datetime

sdm audit permissions --filter 'granted_after:2025-01-01T12:00:00Z'

granted_before

Permissions granted before the specified date and time

Datetime

sdm audit permissions --filter 'granted_before:2025-01-01T12:00:00Z'

resource_id

Resource ID

String

sdm audit permissions --filter 'resource_id:rs-e1b2'

role_id

Role ID

String

sdm audit permissions --filter 'role_id:r-e1b2'

Policies

Field

Description

Value type

Usage example

description

Description of a particular policy

String

sdm admin policies list --filter 'description:description'

id

Query ID

String

sdm admin policies --filter 'id:0asb124dsac'

policy

Policy name or ID

String

sdm admin policies

Queries

Field

Description

Value type

Usage example

account

Account name or email

String or email

sdm audit queries --filter 'account:alice.glick'

account_id

Account ID

String

sdm audit queries --filter 'account_id:a-e1b2'

after

Queries logged after the specified date and time

Datetime

sdm audit queries --filter 'after:2025-01-01T12:00:00Z'

authzAction

Policy-based action logged for the query

String

sdm audit queries -

authzDecision

Policy-based decision to allow or deny the query to be executed

String

sdm audit queries --filter 'authzDecision:deny'

before

Queries logged before the specified date and time

Datetime

sdm audit queries --filter 'before:2025-01-01T12:00:00Z'

email

User's email address

sdm audit queries --filter 'email:[email protected]'

encrypted

Encryption status of the query

Boolean

sdm audit queries --filter 'encrypted:true'

firstName

User's first name

String

sdm audit queries --filter 'firstName:Bob'

hasAuthz

Indicates whether or not a particular query required and received authorization via policy

Boolean

sdm audit queries -

id

Query identifier

String

sdm audit queries --filter 'id:0asb124dsac'

lastName

User's last name

String

sdm audit queries --filter 'lastName:Belcher'

policyId

ID of the policy that evaluated the query

String

sdm audit queries -

query

Query executed by the user

String

sdm audit queries --filter 'query:select * from users'

query_category

Resource category for the query

String

sdm audit queries --filter 'query_category:cluster'

resource_id

Resource ID

String

sdm audit queries --filter 'resource_id:r-e1b2'

resource_name

Resource name

String

sdm audit queries --filter 'resource_name:dev-db2'

resource_type

Resource type

String

sdm audit queries --filter 'resource_type:postgres'

Resources - clouds, clusters, datasources, servers, websites

Field

Description

Value type

Usage example

assigned

Resources that are assigned to a workflow

Boolean

sdm admin datasources list --filter 'assigned:true'

bindAddress

IP address to which the resource is bound, and port, in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1

sdm admin datasources list --filter 'bindAddress:127.0.0.1:2022'

bindInterface

IP address to which the resource is bound, in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1

sdm admin datasources list --filter 'bindInterface:127.0.0.1'

discoveryEnabled

Whether resource discovery is enabled for the resource (true) or not

Boolean

sdm admin datasources list --filter 'discoveryEnabled:true'

entityId

Entity ID

String

sdm admin datasources list --filter 'entityId:ent-e1b2'

hasRequest

Resources that users have requested to access

Boolean

sdm admin servers list --filter 'hasRequest:true'

healthy

Health status of the resource

Boolean

sdm admin datasources list --filter 'healthy:false'

hostname

Hostname of the resource; for websites, the URL of the website

URL

sdm admin datasources list --filter 'hostname:example-host.com'

httpsubdomain

Organization's web domain value

String

sdm admin datasources list --filter 'httpsubdomain:education-team'

id

ID of the resource

String

sdm admin datasources list --filter 'id:rs-058a6582617b2c95'

identity_enabled

Method of authentication for the resource, either Identity Aliases (true) or leased credentials (false)

Boolean

sdm admin servers list --filter 'identity_enabled:true'

identity_set_id

ID of the Identity Set, if the resource's method of authentication is set to Identity Aliases

String

sdm admin servers list --filter 'identity_set_id:ig-e1b2'

inPeeringGroup

Whether the resource is attached to a peering group (true) or not

Boolean

sdm admin servers list --filter 'inPeeringGroup:true'

lockStatus

Whether or not the resource is locked

String

sdm admin datasources list --filter 'lockedStatus:locked'

name

Name of the resource

String

sdm admin datasources list --filter 'name:ExampleResourceName'

port

Port number

Number

sdm admin datasources list --filter 'port:27017'

portoverride

Port override to which the resource is bound

Number

sdm admin datasources list --filter 'portoverride:1234'

proxyClusterId

Proxy cluster ID

String

sdm admin datasources list --filter 'proxyClusterId:n-e1b2'

secretStoreId

Secret store identifier for the resource; use sdm admin secretstores list to get it

String

sdm admin clouds list --filter 'secretStoreId:se-1a2b3cd45678e9f1'

tags

Resource tags assigned to the resource

KVP

sdm admin datasources list --filter 'tag:env=dev'

type

Specific type of resource (for example, sshCert, redis, and so forth)

String

sdm admin datasources list --filter 'type:redis'

username

Username to be used for authentication to the resource

String

sdm admin datasources list --filter 'username:admin'

vnmMode

Whether or not the resource is using Virtual Networking Mode

Boolean

sdm admin datasources list --filter 'vnmMode:false'

Roles

Field

Description

Value type

Usage example

assigned

Roles assigned (true) or unassigned (false) to an account

Boolean

sdm admin roles list --filter 'assigned:false'

id

Role ID

String

sdm admin roles list --filter 'id:r-449dd90f60f610d7'

excludeGroupId

ID of the group to exclude

String

sdm admin roles list --filter 'excludeGroupId:g-e1b2'Aerospike

managed

Roles (groups) that are managed and provisioned by StrongDM (false) or managed and provisioned by a third-party identity provider (true) such as Okta

Boolean

sdm admin roles list --filter 'managed:false'

name

Name of the role

String

sdm admin roles list --filter 'name:Docs'

tags

Tags assigned to the role

KVP

sdm admin roles update 'Test Role' --tags 'env=dev'

workflow

Workflow ID of the workflow to which the role is assigned

String

sdm access catalog --filter 'workflow:aw-e1b2'

Workflows, workflow-approvers, workflow-assignments, workflow-roles

Field

Description

Value type

Usage example

autogrant

Approval criteria for the workflow, either automatic approval (true) or manual approval (false)

Boolean

sdm admin workflows list workflows --filter 'autogrant:true'

enabled

Status of workflow (enabled or disabled)

Boolean

sdm admin workflows list workflows --filter 'enabled:true'

id

Workflow ID

String

sdm admin workflows list workflows --filter 'id:aw-e1b2'

name

Name of workflow

String

sdm admin workflows list workflows --filter 'name:mysql-dev'

role

Role ID

String

sdm admin workflows list workflow-roles --filter 'role:r-e1b2'

workflow

Workflow ID

String

sdm admin workflows list workflow-approvers --filter 'workflow:aw-e1b2'

Potential Resource Type Values

This section provides the accepted values for each resource type.

Datasources

This table provides the values for each datasource type.

Datasource type

Value

Aerospike

aerospike

Amazon ES

amazones

Amazon ES IAM

amazonesiam

Amazon MQ (AMQP 0.9.1)

amazonmq-amqp-091

Athena

athena

Aurora MySQL

aurora-mysql

Aurora MySQL (IAM)

aurora-mysql-iam

Aurora PostgreSQL

aurora-postgres

Aurora PostgreSQL (IAM)

aurorapostgresiam

Azure Database for MySQL

azuremysql

Azure Database for PostgreSQL

azurepostgres

Azure MySQL (Managed Identity)

azuremysqlmanagedidentity

Azure PostgreSQL (Managed Identity)

azurepostgresmanagedidentity

BigQuery

bigquery

Cassandra

cassandra

Citus

citus

ClickHouse (HTTP)

clickhouseHTTP

ClickHouse (MySQL)

clickhousemysql

ClickHouse (TCP)

clickhouseTCP

Clustrix

clustrix

CockroachDB

cockroach

Couchbase

couchbaseDatabase

Db2i

db2i

Db2 LUW

db2luw

DocumentDB (replica set)

documentdbreplicaset

DocumentDB (single host)

documentdbhost

DocumentDB (single host IAM)

documentdbhostiam

Druid

druid

DynamoDB

dynamo

DynamoDB (IAM)

dynamoiam

ElastiCache Redis

ecredis

Elasticsearch

elastic

Greenplum

greenplum

Maria

maria

Memcached

memcached

MemSQL

memsql

Microsoft SQL Server

mssql

Microsoft SQL Server (Azure AD)

mssqlAzureAD

Microsoft SQL Server (Kerberos)

mssqlKerberos

MongoDB (replica set)

mongo-replicaset

MongoDB (sharded cluster)

mongoshardedcluster

MongoDB (single host)

mongoHost

MySQL

mysql

Neptune

neptune

Neptune (IAM)

neptuneiam

Oracle

oracle

Oracle (NNE)

oraclenne

PostgreSQL

postgres

PostgreSQL (mTLS)

mTLSPostgres

Presto

presto

RabbitMQ (AMQP 0.9.1)

rabbitmq-amqp-091

RDS PostgreSQL (IAM)

rdspostgresiam

Redis

redis

Redis Cluster

redisCluster

Redshift

redshift

Redshift (IAM)

redshift-iam

SingleStore

singlestore

Snowflake

snowflake

Sybase ASE

sybase

Sybase IQ

sybase-iq, sybaseiq

Teradata

teradata

Trino

trino

Vertica

vertica

Servers

This table provides the values for each server type.

Server type

Value

RDP

rdp

RDP (Certificate Based)

rdp-cert, rdpCert

SSH (Public Key)

ssh

SSH (Certificate Based)

ssh-cert, sshCert

SSH (Certificate Based with User Provisioning)

ssh-cert-user-provision

SSH (Customer Managed Key)

ssh-customer-key

SSH (Password)

sshPassword

TCP

rawtcp

Clusters

This table provides the values for each cluster type.

Cluster type

Value

AKS

aks

AKS (Service Account)

aks-service, aksservice

Elastic Kubernetes Service

amazon-eks, amazoneks, eks

Elastic Kubernetes Service (instance profile)

amazon-eks-instance-profile, amazoneksinstanceprofile, eks-instance-profile

Google Kubernetes Engine

gke

Kubernetes

k8s, kubernetes

Kubernetes (Pod Identity)

k8s-podidentity

Kubernetes (Service Account)

k8s-service, k8sservice

Clouds

This table provides the values for each cloud type.

Cloud type

Value

AWS

aws

AWS Management Console

awsConsole

AWS Management Console (Static key pair)

awsConsoleStaticKeyPair

Azure (Certificate)

azurecert

Azure (Password)

azure

GCP CLI/SDK (Service Account)

gcp

GCP Web Console (Workforce Identity Federation)

gcpConsole

GCP CLI/SDK (Workforce Identity Federation)

gcpWIF

Snowsight (Snowflake Web Console)

snowsight

Websites

This table provides the values for each website type.

Website type

Value

Couchbase (WebUI)

couchbaseWebUI

HTTP

http, httpNoAuth, http-no-auth

HTTP Basic Auth

http-basic, httpBasic, basicauth

HTTP Custom Auth

http-header-auth, headerauth

Last updated 14 days ago

Was this helpful?