DBT-002 recommended Exploration

Ability to query/explore data from any table

Developers can browse data in dev/staging; production access controlled and audited; documented tooling available

Question to ask

"Who has production DB access and is it audited?"

Verification guide

Severity: Recommended

Developers need to explore actual data for debugging, development, and understanding the system. This should be easy for dev/staging, and controlled for production.

Check automatically:

  1. Check for Prisma Studio:
# Prisma Studio provides data browsing
grep -E "\"prisma\":|prisma studio" package.json 2>/dev/null

# Check for studio script
grep -E "prisma studio" package.json 2>/dev/null
  1. Check for database admin panels in docker-compose:
# pgAdmin, Adminer, phpMyAdmin
grep -rE "pgadmin|adminer|phpmyadmin|mongo-express" docker-compose*.yml 2>/dev/null
  1. Check for application admin panels:
# Django Admin
grep -rE "admin\.site|AdminSite|django\.contrib\.admin" --include="*.py" 2>/dev/null | head -5

# Rails Admin / ActiveAdmin
grep -rE "rails_admin|activeadmin|administrate" Gemfile 2>/dev/null

# Custom admin routes
grep -rE "/admin|AdminController|admin\.routes" --include="*.ts" --include="*.js" --include="*.py" --include="*.rb" 2>/dev/null | head -10
  1. Check for documented database access:
# Connection string documentation
grep -rE "DATABASE_URL|connection string|psql|mysql" README.md CONTRIBUTING.md docs/*.md 2>/dev/null | head -10
  1. Check for query/seed scripts:
# Scripts that suggest ad-hoc querying patterns
ls -la scripts/*query* scripts/*seed* scripts/*db* 2>/dev/null
find . -name "seed*.ts" -o -name "seed*.js" -o -name "*query*.sh" 2>/dev/null | head -5

Ask user:

  • "How do developers browse data in the database?"
  • "What tools do you use for ad-hoc queries?"
  • "How is production database access controlled?"
  • "Is there an audit log for production data access?"

Production access considerations:

  • Production data access should be restricted to appropriate roles
  • Access should be audited (who accessed what, when)
  • Consider read replicas for production queries to avoid impacting performance
  • PII/sensitive data may require additional controls

Common tools (for reference):

  • Prisma Studio - Built-in data browser for Prisma
  • pgAdmin - PostgreSQL GUI with query tool
  • DBeaver - Universal database tool
  • DataGrip - JetBrains database IDE
  • TablePlus - Modern database GUI
  • Adminer - Lightweight web-based admin (single PHP file)
  • Django Admin - Built into Django
  • Rails Admin / ActiveAdmin - Rails admin panels

Cross-reference with:

  • DBT-001 (visualization - often same tool provides both)
  • Section 15 (Admin dashboard - may include data browsing)
  • Section 25/30 (Security - production access should be controlled)
  • DB-001 (Connection pooling - tools should connect appropriately)

Pass criteria:

  • Developers can easily connect to dev/staging databases and browse data
  • Tool available (GUI client, admin panel, or CLI with documented access)
  • Production access is restricted to appropriate roles
  • Production access is audited (logged)

Fail criteria:

  • No documented way to explore data
  • "We SSH in and run raw psql" with no access controls
  • Developers have no visibility into actual data
  • Production access is uncontrolled (anyone can connect)
  • No audit trail for production data access

Evidence to capture:

  • Tool(s) used for data exploration
  • How dev/staging access is provided
  • How production access is controlled
  • Whether production access is audited
  • Any restrictions on sensitive data access

Section

27. Database Tooling

High Availability & DR

← Previous

DBT-001

Tool to visualize database diagrams (ERD)

 Next →

ARCH-001

SOLID Principles Audited Regularly