TadpoleHubTadpoleHub
Database Change Management

Settle · RBAC · masking · audit all in one place

TadpoleHub brings settle workflows, role-based access control, column masking, and unified audit into one console — so teams work from the same process.

Try the demo6-month enterprise trial

The standard for database change and access

Settle, RBAC, masking, and audit work the same way across every channel.

SQL Workspace

From query to result,
in one place.

Write SQL and browse live results in a full workspace that runs in the browser — no client to install. Every statement passes through access control and lands in the audit log.

TadpoleHub SQL workspace running in the browser
Settle

Human approval first.
Execution after.

Risky SQL is routed through the settle workflow. Every request lands in the settle list — status, approver, reason, and run condition are all tracked at a glance.

TadpoleHub settle request list
Request
TadpoleHub settle approval view
Approval
RBAC + IP

Roles and IPs
enforced together.

We check both who is running the query (DB role) and where it comes from (allowed IPs) — SQL runs only when both match.

SELECT * FROM orders WHERE … — access pipeline
  1. 01

    User auth

    Pass

    Check per-DB role

    alice@co.com · USER
  2. 02

    IP check

    Pass

    Match allowed IP list

    192.168.1.50 ∈ 192.168.1.0/24
  3. 03

    Object access

    Pass

    Whitelist/blacklist per table

    orders (SELECT allowed)
  4. 04

    Execute

    In progress

    Run and write audit log

Column Masking

Sensitive columns
auto-masked.

Per-DB column masking rules apply to result sets the same way across AI, CLI, editor, and API paths.

Masked customer columns in the result grid
Unified Audit

One MCP call.
Four audit views.

Every MCP call is captured from four angles — the AI conversation, the SQL execution, the sensitive-data policy, and the resulting event — all tied to a single ref.

Unified audit log dialog with four audit views

Approval before execution, consistent control, traceable history

DevelopersSecurity EngineersDatabase Administrators

Approval before execution

A senior DBA must approve submitted SQL before it runs.

Consistent access control

Roles, allowed IPs, and masking apply uniformly to every session.

Traceable history

Who ran what from where lands in a single audit timeline.

Key TadpoleDBHub features

25+ Database Support

PostgreSQL, MySQL, Oracle, SQL Server, MongoDB and more

Security & Compliance

LDAP, SAML, OTP authentication with audit logging

Team Collaboration

Role-based access control and shared workflows

API & CLI

REST API · MCP (JSON-RPC 2.0) · AI CLI support

Column Masking

Regex-based column masking rules for sensitive data

Time-window access

Restrict DB access by hour or business calendar

Dormant account control

Auto-flag long-inactive users and revoke access

Security event detection

Aggregate failed/risky SQL patterns and new-DB access

IP access restriction

CIDR/wildcard allowlist applied to all paths including downloads

Real-time session block

Disconnect active sessions and record the event

Explore the standard for database change management

Join thousands of teams using TadpoleHub to manage database access and changes safely.

Try the demo6-month enterprise trial