Key Concepts of strongDM

This section covers concepts that are are key in the daily strongDM usage and operation.


Users and Service Accounts represent the individual end-users of the strongDM product and are provisioned within the strongDM Admin UI.


Roles represent a collection of permissions, and typically correspond to teams, Active Directory OUs, use cases, or any other organizational scheme.

Datasource and Server privileges are granted to Roles.


The strongDM client is installed on a device (a laptop or workstation, for example) which a user uses to access infrastructure. All Datasource and Server access is conducted via the strongDM client. Additionally, all administrative and automation tasks may be performed via the CLI form of the strongDM client.

The strongDM client (GUI and CLI) auto-updates as releases are made available. All strongDM binaries are signed according to OS conventions.


A Relay creates connectivity to your datasources, while maintaining the egress-only nature of your firewall. Relays are the only things that can speak to your databases, mediating the connection between them and the strongDM public relay pool (or your Gateways). Relays use a statically-compiled binary, optionally wrapped in a Docker container.

To create redundancy, you should deploy two relays (per firewalled/VPC region).


A Gateway is a Relay that additionally listens for connections from the Client. By provisioning Gateways, an organization can ensure that its data flow does not leave its network.

To create redundancy, you should deploy two gateways (per VPC region or other logical boundary).

Credential Leasing Model

strongDM acts as a secure credential repository that allows admins to reuse a shared underlying database credential, or SSH key pair among tens, hundreds, or thousands of users without sacrificing the ability to attribute every query or SSH sesion to specific users.

From that credential repository strongDM injects the underlying credentials in that last hop between the gateway pair and the target infrastructure.

Datasources & Servers

Datasources combine Database Type, Host Address (IP/hostname and port), and Credentials into a unified record.

When a User or Role is assigned a Datasource, that entity inherits the permissions associated with the Credential in that Datasource.

In cases where multiple Credentials are desirable for a given Host Address, the Datasource can be cloned, with an alternate credential provided.

Similarly, Servers combine Server Type, Host Address, and Credentials into a unified record. Users or Roles assigned access to the Server inherit the permissions associated with the Credential in that Server. Multiple Server records can be created for different credentials on the same server.


Logging on the strongDM servers, if enabled, includes queries, captures, and activities, all of which are available in the strongDM Admin UI. To view these items, visit the Queries, SSH Captures, and Activities pages in the strongDM Admin UI. Queries, activities, and captures stored with strongDM can also be accessed via the SDM CLI. Visit the Logging Guide for more information.

The only logging option under strongDM logging is whether or not to enable additional encryption. This option is detailed in the Log Encryption Guide.

For more information on viewing logs, queries, and captures that are stored by strongDM, visit the Using strongDM Logs guide.

Logs can also be stored on Relays and Gateways, detailing all queries and session captures that pass through those Relays or Gateways. Multiple logging options exist, including writing them to a file, STDOUT, or streaming to a TCP or Socket location. For more information, visit the Using Relay Logs guide.


Integrations are scripts or tools that enable strongDM to work nicely with other tools in your stack.