DAAM
Alpha
Login Sign Up
Getting Started
Using DAAM
CLIAccess Requests
Administration
OrganizationsPoliciesData MaskingRow FiltersSingle Sign-OnNotificationsAPI KeysAudit Log
Infrastructure
AgentArchitecture

Getting Started

This guide walks you through the complete setup: register a database, deploy an agent, create a policy, install the CLI, and run your first query with data masking.

1. Register a Database

In the console, navigate to Databases and click Create Database. Give it a name (e.g., production) and provide the host, port, and superuser credentials that the agent will use to connect to your PostgreSQL instance.

The agent connects as a superuser to create ephemeral database roles for each developer connection. Your developers never see these credentials.

2. Deploy an Agent

Each database needs one agent. The agent is a lightweight proxy that sits between developers and your database, enforcing access policies and masking rules.

Docker

docker run -d \
  -v /path/to/auth-token:/etc/daam/token:ro \
  -v /path/to/config.yaml:/etc/daam/config.yaml:ro \
  -p 5432:5432 \
  <registry>/daam-agent:latest \
  --config /etc/daam/config.yaml

Configuration

listen: ":5432"

upstream:
  host: "your-database-host"
  port: 5432
  dsn_file: "/etc/daam/dsn"

control_plane:
  url: "https://app.daam.dev"
  auth_token_file: "/etc/daam/token"

health:
  enabled: true
  port: 8080

The auth token is generated in the console when you create a database. Use auth_token_file (not inline tokens) in production for secret rotation without restarts.

3. Create a Policy

Policies define what tables a developer can access and what data masking rules apply. Navigate to your database in the console, then Policies → Create Policy.

  1. Name your policy (e.g., read-only-masked)
  2. Add table grants: select which tables to allow and which operations (SELECT, INSERT, UPDATE, DELETE)
  3. Add masking rules: for sensitive columns, choose a masking preset (e.g., email, phone, ssn)

DAAM is default-deny: tables not mentioned in any policy are inaccessible. DDL statements (CREATE, ALTER, DROP) are always blocked.

4. Assign Users to the Policy

In the policy editor, add users or groups who should receive this access. A user's effective permissions for a database are the union of all policies they reach (directly assigned + via group membership).

5. Install the CLI

Download the daam-cli binary and add it to your PATH:

# Download (replace with your OS/arch)
curl -sLO https://<release-url>/daam-cli-linux-amd64
chmod +x daam-cli-linux-amd64
sudo mv daam-cli-linux-amd64 /usr/local/bin/daam-cli

6. Log In and Connect

Authenticate with your organization, then connect to a database:

$ daam-cli login
Opening browser for authentication...
Login successful. Organization: acme-corp
$ daam-cli connect production
Connected to production
Local port: 127.0.0.1:5432
Connection mode: direct

7. Query with Masking

With the tunnel active, connect using psql or any PostgreSQL client. Sensitive columns are automatically masked based on your policy:

$ daam-cli psql production
psql (16.1)
Type "help" for help.

production=>
production=> SELECT name, email, phone, ssn FROM users LIMIT 3;
     name     |       email        |    phone     |     ssn
--------------+--------------------+--------------+-------------
 A*** S***    | a***@e***.com      | ***-***-5678 | ***-**-1234
 J*** D***    | j***@e***.com      | ***-***-9012 | ***-**-5678
 M*** J***    | m***@c***.com      | ***-***-3456 | ***-**-9012
(3 rows)

Masking is read-side only - it transforms SELECT results before they reach you. INSERT and UPDATE statements pass through unmasked, so you can write real data while only seeing masked output.

Next Steps

  • CLI Reference - all commands, profiles, and shell completion
  • Policies - advanced policy configuration and resolution
  • Data Masking - all masking presets and wildcard patterns
  • Organizations - invite members, configure groups, manage roles