Teams adopt Privileged Access Management (PAM) — CyberArk, BeyondTrust, StrongDM, Teleport, HashiCorp Boundary — to solve the "who can SSH into which server" problem. The model works: vault credentials, broker connections, record sessions, enforce just-in-time access. Then they hit databases. The same tool gates the connection but stops being useful at the part that actually matters: what someone does once connected. The most common outcome is not a replacement decision — it's adding a database-native layer alongside PAM.
Bytebase vs. PAM at a glance
The "PAM" column describes the typical posture across CyberArk, BeyondTrust, StrongDM, Teleport, and HashiCorp Boundary. See the vendor landscape for tool-specific notes.
| PAM (typical) | Bytebase | |
|---|---|---|
| Primary category | Privileged access management for infrastructure | Database DevSecOps |
| Infrastructure scope | Servers, Kubernetes, cloud consoles, web apps, databases | Databases (30+ engines: PostgreSQL, MySQL, Oracle, SQL Server, MongoDB, etc.) |
| Credential vaulting | ✅ Infrastructure-wide (DBs, SSH, cloud, web) | ✅ For database credentials |
| JIT database access | ✅ Time-boxed connection access | ✅ Time-boxed access + per-query approval |
| SQL review on the actual SQL | ❌ | ✅ 200+ rules, checked before each statement runs |
| Schema change workflow | ❌ | ✅ Ticket-tracked rollout (dev → staging → prod) with rollback |
| Per-query approval | ❌ Approve the connection, not the query | ✅ Approve specific queries (e.g., DELETE on a large table) |
| Audit log of executed SQL | ⚠️ Session video replay | ✅ Searchable per-statement log (user, time, rows affected) |
| Data masking | ❌ | ✅ Per-column rules applied at query time (e.g., redact email) |
| Web SQL editor with autocomplete | ⚠️ Some (StrongDM, Teleport) | ✅ Built-in, with schema browser and query history |
What PAM does well
PAM grew out of Unix administration. The mental model is "credentials are dangerous, so put them behind a broker," and every major vendor implements the same core capabilities:
- Credential vaulting — passwords, SSH keys, cloud tokens never live on developer laptops
- JIT access broker — request, approve, short-lived token, auto-revoke
- Session recording — keystrokes for SSH, network capture for DB protocols, screen capture for web consoles
- Identity integration — SSO, group-based policy, MFA enforcement
- Connection-level audit — who accessed what, when (not what they did)
For SSH into a Linux server, kubectl exec into a pod, or RDP into a Windows admin host, this is the right model. The high-value control is "did anyone unauthorized connect?" and PAM answers that question well.
Where PAM falls short for databases
The same connection-level model that works for SSH falls apart on databases, because the high-value question shifts from "who connected?" to "what did they run?" Five concrete gaps show up in production:
1. No SQL review on the actual SQL being executed
PAM gates the connection. Once you're in, you can run anything the database role permits — including DROP TABLE users; or UPDATE accounts SET balance = 0 WHERE customer_id = 12345;. PAM records that you did it. It does not stop you, did not analyze the statement, and cannot tell whether the change is safe.
→ Bytebase parses every statement against 200+ rules before it runs: require a WHERE clause on large-table updates, block SELECTs on sensitive columns without masking, restrict schema changes to maintenance hours.
2. Schema change workflow is missing entirely
Database changes have a specific lifecycle: write the migration, review the SQL, run on dev, run on staging, run on production, with rollback ready. PAM has no concept of this. Schema migrations either get pasted into a brokered session (reviewed nowhere), or they go through a separate CI/CD pipeline that bypasses PAM entirely (no joined audit trail).
→ Bytebase issues track schema changes like Jira tickets — target databases, SQL, rollout sequence, approval chain, rollback script. Documented in Change Workflow.
3. Approval is connection-level, not statement-level
A common PAM policy reads: "Engineer Alice has JIT read access to prod_db for 4 hours, approved by Bob." Inside that window, Alice can run SELECT * FROM customers WHERE 1=1 because the approval covers the connection, not the statements. The audit log shows "Alice connected with read access" — exactly what was permitted.
→ Bytebase moves approval to the statement layer: a SELECT against a sensitive table can require a separate per-query approver; a DELETE on a large table can be blocked or escalated.
4. Session recording is not the same as a structured audit log
A 30-minute database session in PAM produces a 30-minute video. To answer "who deleted rows from orders last Tuesday?" a compliance team has to find every session that touched orders and watch each recording. This is not what auditors mean by "audit log."
→ Bytebase logs each executed statement as a searchable row: user, timestamp, database, statement text, row count, duration. SOC 2 and PCI auditors accept this format directly — the same compliance question becomes a single SQL query against the audit table instead of hours of video review. See Database Audit Logging for the compliance-driven design.
5. No native database idioms
Power users don't want a session-recorded SSH wrapper that proxies to psql. They want psql itself — autocomplete, schema browser, query history, the \d shortcuts they actually know. PAM brokers the raw protocol but the surface developers see is a stripped-down terminal or a generic SQL pad. The friction pushes power users toward shadow tools — a bastion host with psql bypassing PAM "for productivity."
→ Bytebase's web SQL Editor speaks the native protocol, with autocomplete from the live schema, per-user query history, saved queries, and result export — without a session-recording overlay between the developer and the database.
The hybrid pattern (recommended for most teams)
flowchart TB
Dev(["Developer"])
Dev --> SSH["SSH to server"]
Dev --> Kube["kubectl exec"]
Dev --> DBQ["Database query"]
SSH --> PAM1["PAM gate"]
Kube --> PAM2["PAM gate"]
DBQ --> BB["Bytebase gate"]
PAM1 --> Server["Linux server"]
PAM2 --> Pod["K8s pod"]
BB --> Workflow["SQL review<br/>Approval policy<br/>Execute on DB<br/>Searchable audit log"]
style BB fill:#e0f2fe,stroke:#0369a1
style Workflow fill:#e0f2fe,stroke:#0369a1PAM owns infrastructure-wide access. Bytebase owns the database step. Both authenticate against the same identity provider, so policy decisions reference the same user. The audit trail in PAM shows "Alice connected to db.prod-1 at 14:32"; the audit trail in Bytebase shows "Alice ran UPDATE accounts SET status='frozen' WHERE id IN (...) at 14:34, approved by Bob, affected 47 rows." Together they answer the full question.
This is the right setup if PAM is already deployed, database access volume is meaningful, compliance scope (SOC 2, ISO 27001, HIPAA, PCI) covers the database, or schema changes happen more than once a month.
When one is enough
PAM alone is enough if database access is rare (a few queries a week, mostly DBAs), the schema is stable, auditors accept session recordings as evidence, and the database surface is low-risk (read-only analytics, no PII). Most companies under 20 engineers fit this profile.
Bytebase alone is enough if the stack is database-only — no servers, no Kubernetes admin, no cloud consoles to gate. Common at companies on managed databases (Supabase, Neon, RDS-only, PlanetScale, Aurora-only) where there's no underlying server to SSH into. As the infrastructure footprint grows, PAM gets added back for the non-database surface.
PAM vendor landscape
Each major vendor's database story in one line:
| PAM Tool | Strength | Database gap |
|---|---|---|
| CyberArk | Most mature enterprise credential vault; broadest compliance certifications | No database workflow layer; pricing is enterprise-only |
| BeyondTrust | DevOps Secrets Safe for CI/CD secret injection | Same connection-level model — no SQL review, no schema workflow |
| StrongDM | Modern UX, JIT-first design, strong web SQL pad | Detailed comparison: Bytebase vs. StrongDM |
| Teleport | Open-source friendly, k8s and SSH-native | Database access is a feature; SQL review and approval policy are not |
| HashiCorp Boundary | Open-source PAM, Terraform-native | Newer to the database story; less feature depth |
The pattern across all five: each does PAM well in its niche, but none reads the SQL or runs database-specific approval logic. That's not a criticism — those are different products.
Which should you choose?
The framing usually has the wrong shape:
- You probably need PAM if you have any infrastructure surface — servers, Kubernetes, cloud admin consoles
- You probably need Bytebase if databases are a meaningful part of the access surface and someone will ask "what SQL ran?" in an audit
- You probably want both if both are true. The cost of running both is lower than the cost of either gap
The replacement framing only works at the edges: a database-only startup uses Bytebase without PAM; a database-rare team uses PAM without Bytebase. Everyone in the middle uses both.
FAQ
Is Bytebase a PAM tool? No. Bytebase is a database DevSecOps platform — schema change workflow, SQL review, access control, and audit log for databases specifically. PAM covers infrastructure-wide access (servers, Kubernetes, cloud consoles). The two overlap at JIT database access, but the broader categories differ.
Can PAM tools manage database access? Yes, at the connection level — PAM brokers the connection, vaults the credential, and records the session. PAM does not read the SQL, approve individual queries, run schema change workflow, or produce a searchable log of every query that ran.
Do I need both PAM and Bytebase? Most enterprise teams do. PAM owns infrastructure access (SSH, kubectl, cloud admin). Bytebase owns the database step (SQL review, approval policy, audit log). Both authenticate against the same identity provider, so the user experience is one login. See Database Access Control Best Practices for the broader design.
How does Bytebase compare to StrongDM for database access? StrongDM is a PAM tool with a strong database story; Bytebase is database-native. The two are usually deployed together rather than against each other. Full breakdown: Bytebase vs. StrongDM.
Can Bytebase replace CyberArk for database access? For database-only access — yes, Bytebase can be the sole control plane. For server, Kubernetes, and cloud admin access — no, those need PAM. CyberArk is rarely removed from an enterprise that already has it.
What's the difference between database PAM and database DevSecOps? Both vault database credentials and gate who can connect. The difference is scope above and below: PAM also vaults SSH keys, cloud tokens, and web-app credentials across the entire infrastructure; database DevSecOps adds SQL review, change workflow, data access governance, and statement-level audit on top of the database connection. Different layers, and most production deployments use both.
Does PAM cover SQL injection or DML risk? No. PAM logs the session that contained the SQL, but does not analyze the SQL itself. Static and policy-based SQL review (Bytebase) operates at a different layer — it parses each statement before execution and applies rules.