Skip to main content
Baton-SQL is a configuration-only connector for SQL databases. Use it for internal user directories, custom applications, or legacy systems where you have database access but no API.

Supported databases

  • PostgreSQL
  • MySQL
  • Microsoft SQL Server
  • Oracle
  • SAP HANA
  • SQLite

Resources

Configuration overview

Baton-SQL uses a YAML configuration file that defines:
  • Database connection details
  • Resource types to sync (users, groups, roles)
  • Entitlements that can be granted
  • Grants that map principals to entitlements
  • Provisioning rules for granting/revoking access

Database connection

You can configure the connection using structured fields or a DSN string.

Structured connection

DSN connection string

DSN examples by database:

Listing resources

The list section defines how to query resources from your database:

Field mapping

Field mappings use CEL (Common Expression Language) to transform data. The dot syntax references columns from the query result:

Pagination

  • offset: Uses LIMIT and OFFSET in SQL queries
  • cursor: Fetches records after a certain key value

Entitlements

Entitlements define permissions that can be granted to resources.

Entitlement purpose

The purpose field tells C1 how to interpret an entitlement:

Static entitlements

Static entitlements are predefined in the configuration:

Dynamic entitlements

Dynamic entitlements are discovered from the database:

Grants

Grants define which principals have which entitlements:
The ?<group_id> syntax binds the current resource ID to the query parameter.

Conditional grant mapping

Use skip_if to conditionally skip grant mappings:

Provisioning

Provisioning defines how to grant and revoke access.

Grant and revoke

Account provisioning

Create new accounts through C1:

Password constraints

Use constraints under random_password to enforce character set rules on generated passwords. Each entry specifies a set of characters and the minimum number of those characters that must appear. When defined, these constraints replace any constraints provided by the platform.
The min_length, max_length, and disallowed_characters fields on random_password are deprecated. They are accepted for backwards compatibility but have no effect — password length is controlled by the platform, and character set rules should be defined using constraints instead.

Credential rotation

Rotate credentials for existing accounts:

Running the connector

Validate configuration

One-shot mode (local testing)

Service mode with C1

Common flags: For deployment instructions, see Deploy a self-hosted connector.

Complete example

Find more examples in the baton-sql repository.