Supported databases
- PostgreSQL
- MySQL
- Microsoft SQL Server
- Oracle
- SAP HANA
- SQLite
Resources
- Official download center: Stable binaries (Windows/Linux/macOS) and container images
- GitHub repository: Source code, issues, and example configurations
Configuration overview
Baton-SQL uses a YAML configuration file that defines:- Database connection details
- Resource types to sync (users, groups, roles)
- Entitlements that can be granted
- Grants that map principals to entitlements
- Provisioning rules for granting/revoking access
Database connection
You can configure the connection using structured fields or a DSN string.Structured connection
DSN connection string
Listing resources
Thelist section defines how to query resources from your database:
Field mapping
Field mappings use CEL (Common Expression Language) to transform data. The dot syntax references columns from the query result:Pagination
- offset: Uses
LIMITandOFFSETin SQL queries - cursor: Fetches records after a certain key value
Entitlements
Entitlements define permissions that can be granted to resources.Entitlement purpose
Thepurpose field tells C1 how to interpret an entitlement:
Static entitlements
Static entitlements are predefined in the configuration:Dynamic entitlements
Dynamic entitlements are discovered from the database:Grants
Grants define which principals have which entitlements:?<group_id> syntax binds the current resource ID to the query parameter.
Conditional grant mapping
Useskip_if to conditionally skip grant mappings:
Provisioning
Provisioning defines how to grant and revoke access.Grant and revoke
Account provisioning
Create new accounts through C1:Password constraints
Useconstraints under random_password to enforce character set rules on generated passwords. Each entry specifies a set of characters and the minimum number of those characters that must appear. When defined, these constraints replace any constraints provided by the platform.
The
min_length, max_length, and disallowed_characters fields on random_password are deprecated. They are accepted for backwards compatibility but have no effect — password length is controlled by the platform, and character set rules should be defined using constraints instead.Credential rotation
Rotate credentials for existing accounts:Running the connector
Validate configuration
One-shot mode (local testing)
Service mode with C1
For deployment instructions, see Deploy a self-hosted connector.