Working with spatial/GIS data

Spatial data is a geometry or geography value that can be represented on a map or a graph. A geometry object consists of a series of points. Please find more details here.

CloudBeaver’s support of spatial data covers the following databases:

  • PostgreSQL (PostGIS)
  • MySQL
  • SQLite (GeoPackage)
  • H2GIS
  • Oracle
  • SQL Server

Spatial data viewer

Data viewer GIS

If you click on an object on the map, the following data (strings, numbers, dates etc.) from every other column in the corresponding row will be displayed.

GIS Object info

Value Panel

The Value panel provides additional space in the Data editor in which you can manipulate data. The panel is handy if you work with complex types (structures, arrays), long text data or BLOBs.

To open the panel, click the Value button on the right hand side of the Data tab. Alternatively, you can open the Value panel by clicking Show in value panel on a cell context menu.

To close the panel, click the Value button again.

Value Panel Buttons

The Value viewer panel displays just one value that is currently selected or in focus and allows editing.

At the top of the Value panel, you can find several tabs. The tabs depend on the current value type. For example, if your current value is a string, you will find 4 tabs (Plain text, HTML, XML, JSON), each representing a format the string can be shown in.

Value Panel Open


The Administrator can create users for local name/password based authentication in the Administration Menu.

CloudBeaver CE

Local user creation

  1. Go to the Access management tab of the Administration Menu and press the Add button.
  2. Create a username and password.
  3. Grant a role to the user. It will define the user’s permission (you can find more information about roles at Role management article).
  4. Give connection access to the user in the Connection Access tab if it is necessary.
  5. Press the Create button.

CloudBeaver EE

CloudBeaver Enterprise Edition also allows you to configure AWS and SSO users.

AWS and Federated users

When a user is authorized to CloudBeaver EE instance with AWS IAM or Federated authentication for the first time, the appropriate user is created in the application with the User role by default. The administrator can change the user’s role after that.
The creation of new AWS and Federated users is not possible by the Administrator as it only works with real AWS and Federated users.

CloudBeaver AWS

CloudBeaver Enterprise Edition for AWS allows you to configure only AWS and Federated users, because it does not have local access and local users cannot be created there.

User credentials storage


It is possible to configure CloudBeaver to save database credentials (user names and passwords) in CloudBeaver storage.
In this case, users won’t need to enter database credentials every time they connect to a database.

However, the most secure way is to disable this option. See options “Save credentials” and “Save user credentials” in administrator console, page “Server configuration”.

Credentials storage

There are two types of database connections: global and user.
Global connections are managed by CloudBeaver administrators, user connections are managed by users themselves.

Global database configuration is stored in workspace sub-folder GlobalConfiguration/.dbeaver.
Database configurations are stored in the file data-sources.json, database credentials are stored in the file credentials-config.json. File credentials-config.json is encrypted by a special key which is stored in CloudBeaver distribution.

User configuration are stored in workspace sub-folders user-projects/USER_NAME/.dbeaver.

Potentially, if an intruder/malware software will get access to CloudBeaver server filesystem, then it may get access to all stored user credentials.
To increase security it is recommended to configure the server to keep workspace on a shared encrypted network folder (e.g. S3, see S3 Server-side encryption).

Configuring server datasources

Configuring server “predefined” connections

See Connection configuration for descriptions of the different connection types.


The CloudBeaver server may have a set of pre-configured database connections.
This configuration is stored on a server and cannot be changed by end-users.

An End-user may choose one of the pre-configured connections on the main CloudBeaver toolbar. Then the user has to provide a username/password in order to connect to the pre-configured datasource. No other parameters are needed.

See Server configuration for information about the server and workspace configuration.

Datasources configuration file

All project-level configurations are stored in the folder, ${CLOUDBEAVER_WORKSPACE}/GlobalConfiguration/.dbeaver.
Datasources are configured in the file, data-sources.json.

It has the same format as DBeaver datasources configuration file.
In version 1.0 CloudBeaver does not support UI for datasources configuration (mostly because it is quite complicated).

You can create this configuration in DBeaver and then copy it to your server configuration folder. Then you can patch the configuration manually by editing the configuration json.

CloudBeaver 21.1.2

Release – 2021-08-11

  • Option to run SQL Scripts has been implemented.
  • Radio buttons have been added to the Value panel to edit Boolean values.
  • Minor UI fixes and improvements have been made.


Single Sign-On

CloudBeaver Enterprise supports federated authentication for Single Sign-On (SSO) access into the application. 

SSO is an authentication service which permits a user to log in with single credentials to multiple applications.

SSO in Cloudbeaver allows to:

  • log in to the application by users who have been given rights.

  • get access to databases according to users’ roles.

Cloudbeaver supports SAML and OpenID  authentication methods for SSO.

SSO for AWS 

You can configure SSO access for AWS. In order to provide users permission to your AWS cloud resources (RDS, DynamoDB, etc.) you need to configure AWS federated access proxy user. You can find more information here: configuring SAML assertions for the authentication response:

  1. Go to the AWS Settings tab and enable the Federated authentication. 


  1. Add the Proxy User on the same page. You can set the current user or add a new one.

  2. Create SAML configuration. You can find more information here: SAML Authentication

When an AWS user is logged into CloudBeaver using SSO, it has the Proxy User and the IAM user’s identity-based permissions.

Actual permission set and user role are configured in attribute mappings of SAML integration.


CloudBeaver does not keep your authentication information on the server-side and in configuration files.

Once your session expires, you will need to authenticate again. When a user logs out from the application, CloudBeaver also performs a session logout from Id Provider.

Connection Management




You can add, edit, or remove shared database connections or database connection templates on the Connection Management page in administration.

Connection Management


Click the Add button in the top toolbar to open the connection creation form.

You can use the Search tab to find databases on the cloudbeaver host machine or provided host. You can choose database type if several databases can be hosted on the same port. You can write several hosts to search on: localhost or localhost, Click on the connection in the list to open the creation form (You can also select database type there).

You can use the Custom tab to create a connection for the specified database or driver. You can search databases by name.

Connection Form

You can set base connection parameters, driver settings, SSH tunnel, and access in the connection form.
A connection template will be created if the Template checkbox is checked.
To check the connection to the database, click on the Test connection button; if SSH is configured, it will be used to test the connection.
Users will be asked to enter credentials if the connection requires authentication. An administrator can set authentication parameters and save them (Save credentials checkbox in Authentication section); in that case, any user that has access to a connection will be able to connect without entering credentials.

Connection Form

You can manage access to the database at the Access tab. You can select users or roles to provide access to.

Connection Form

CloudBeaver 21.0.3

Release – 2021-06-11

  • Filtering and Ordering from the context menu were added for the data editor .
  • Read-only columns and result sets were marked in the data editor.
  • Possibility to remove data export feature from UI was added.
  • CloudBeaver docker image is based on Ubuntu Slim now.
  • Minor UI fixes and improvements.

Connection configuration

Connection types in CB

Pre-configured connections

The configuration is located in ${WORKSPACE}/GlobalConfiguration/.dbeaver/data-sources.json.
Preconfigured connections are always visible in the database navigator. Users cannot delete or change them.
Only the administrator can edit them.

Template connections

Template connections are similar to the provided connections. The main difference is that they are not present in the database navigator by default.
Users can add them to the navigator tree by using the main toolbar Connection->New Connection->From template.
Only the administrator can edit the template connections.

Custom connections

Custom connections can be created by users (Note: configuration parameter supportsCustomConnections must be turned on).

  • Click on the main toolbar->Connection->New Connection->Custom.
  • Choose the connection driver
  • Fill in the connection parameters
  • Click “Create” and the connection will be added in the navigator tree

Cloud connections

Cloud connections cannot explicitly be created or deleted by users. Their configuration is provided by a cloud service provider (e.g. thru AWS API).
Once CB will find such connections (by using cloud configuration specified by the server administrator) they will become visible in the navigator tree.