StrongDM connector

Use your StrongDM data for reporting, automation and AI.

Data Panda brings your StrongDM users, resources, grants, queries and session events together with the data from the rest of your business. From one place we turn it into dashboards, automations, AI workflows and custom apps that security, IT and audit can rely on every week, not only the week before a SOC 2 evidence pull.

About StrongDM

The single chokepoint between people and your production infrastructure.

StrongDM was founded in 2015 in San Francisco by Justin McCarthy, Elizabeth Zalman and Schuyler Brown, and was acquired by Delinea in March 2026. The product sits as a drop-in proxy between your engineers, analysts and contractors and the resources they need to reach: relational and NoSQL databases, Linux and Windows servers, Kubernetes clusters, internal HTTP apps and network devices. Identity comes from Okta, Microsoft Entra ID or Google Workspace, secrets come from a vault you already run (HashiCorp Vault, AWS Secrets Manager, CyberArk), and policy lives in StrongDM. The proxy is the part that earns its keep on audit day, because every connection, query and shell command flows through it.

For most StrongDM tenants the admin console answers who has a grant on which resource right now. The harder questions, like which grants have not been used in 60 days but are still open, which analyst is running the bulk of the queries against a customer-PII table, how often a break-glass role got assumed last quarter and by whom, or how the joiner-mover-leaver lag from HiBob to grant revocation looks per case, sit across StrongDM and the systems around it. Our connector pulls users, roles, resources, grants, query logs and session metadata into your warehouse, so privileged-access reporting joins HR, ticketing and finance instead of waiting for a one-off CSV from the SDM API.

What your StrongDM data is for

What you get once StrongDM is connected.

Privileged-access reporting

Users, roles, resources and grants in one place, joined to HR, ticketing and finance data.

Active versus dormant grants per resource, per role and per team
Query and session volume per analyst, per database and per week
Break-glass and admin-role assumptions per quarter, with approver and ticket attached

Access lifecycle automation

Let HR events and ticket workflows drive grant changes, instead of an IT queue rebuilt every Monday.

Provision a Jira ticket the moment a grant ages past 60 days unused
Revoke grants within hours of a HiBob leaver record, per resource
Open an alert when query volume on a PII table jumps for a single user

AI workflows

Put privileged-access logs behind AI that sees actual usage, not the role design from last year.

Recommend role consolidations based on grants that always travel together in practice
Risk-score sessions using time, query shape and resource sensitivity
Natural-language Q&A across users, grants and queries for security and audit

Custom apps on your data

Lightweight tools on StrongDM data for people who do not live in the StrongDM admin console.

Access-review app per manager, with last-used-date and resource sensitivity built in
Resource-owner dashboard with active grants, dormant share and recent query volume
Joiner-mover-leaver tracker with the gap from HR action to grant change visible per case

Use cases

Use cases we deliver with StrongDM data.

A list of concrete reports, automations and AI features we have built on StrongDM data. Pick the one that matches your situation.

Dormant-grant auditGrants unused past 30, 60 or 90 days, per resource, role and team.

Query volume per analystQueries per user, per database and per week, with PII-table flag attached.

Break-glass session reportAdmin-role assumptions per quarter, with approver, ticket and session length.

Joiner-mover-leaver driftHours between HiBob action and matching StrongDM grant change, per case.

SOC 2 evidence packQuarterly access reviews, grant approvals and revocations exported per control.

ISO 27001 access reviewResource-owner reviews of active grants, with last-used-date and approver chain.

Vendor and contractor scopeExternal-user grants by project, with auto-expiry date and renewal owner.

PII-table access mapGrants and recent queries on tables marked sensitive, per role and per team.

Resource-owner dashboardPer database, server or cluster: active users, dormant share and last admin session.

Role-consolidation candidatesRoles whose grant sets overlap by more than 80 percent in real usage.

Off-hours session patternSessions outside business hours per user and resource, with country and device.

Real business questions

Answers you will finally get.

Which grants are still standing but nobody is using?

Grant-by-grant last-used-date pulled from the StrongDM query and session log, joined to the role and the resource owner. Security and IT see exactly which grants on which databases, servers or clusters can be revoked at the next access review, instead of trusting that the role design still matches what people do. Resource owners get a per-resource list rather than a tenant-wide spreadsheet.

Who is running the bulk of the queries on our customer-PII tables?

Query volume on PII-flagged tables per user, per role and per week, with the matching session metadata. The security team sees the analysts and engineers whose query pattern jumps without a ticket to back it up, and the roles that quietly accumulated PII access through grant inheritance. That is a list of people to talk to, not a SIEM dashboard to stare at.

How often did break-glass fire last quarter, and was it approved?

Every assumption of an admin or break-glass role over the period, with the approver, the ticket reference, the session length and the resource touched. Audit and the CISO see the cases that fired without an approval trail, and the roles whose break-glass usage is no longer exceptional. The number stops being a guess and becomes a row count.

Value for everyone in the organisation

Where each function gets value.

For finance leaders

Audit cost reconciled against access activity. You see which SOC 2 and ISO 27001 evidence packs come together from the warehouse on a button instead of a contractor week, and which standing grants on paid-per-resource targets can be cut at renewal.

For sales leaders

Sales engineering and analytics access to customer-data resources, with last-used-date attached. Sales ops sees which SE seats still hold grants on customer-PII tables they no longer touch, and which prospect-trial environments were never cleaned up after the deal closed.

For operations

Joiner-mover-leaver in one operational view across HiBob and StrongDM. IT sees the gap between an HR action and a grant change per case, instead of trusting that the lifecycle policy fired and reading about exceptions in the next access review.

Ideas

What you can automate with StrongDM.

Pair with HiBob

Drive joiner and leaver grants from HiBob

New hires in HiBob trigger the matching StrongDM user, role assignment and resource grants on the start date, scoped to what the role needs. Termination records pull the grants within hours and feed the per-resource revocation queue, so the lag from HR action to grant change is a number you can report rather than a hope. The case-by-case timing lands in the warehouse next to the audit trail.

Pair with Jira

Open Jira tickets for dormant grants and stale roles

Grants that age past 60 days unused, roles whose membership grew past their approved size and break-glass assumptions without a matching change ticket open a Jira issue on the right team's backlog, with the user, resource and last-used-date attached. The access review stops being a quarterly cleanup and becomes a steady backlog item alongside other security work.

Pair with Slack

Post StrongDM security signals into the right Slack channel

Break-glass role assumptions, off-hours sessions on production databases, query-volume spikes on PII tables and grant changes outside the standard request flow post a compact alert in the security or IT-ops Slack channel, with user, resource, role and recent session trail attached. The team triages in the channel they already watch instead of opening the StrongDM admin console per case.

Pair with monday.com

Track quarterly access reviews on a monday.com board

Per-resource access-review packs from StrongDM land as items on a monday.com board, with the resource owner, the active-grant list, the dormant share and the last-used-date pre-filled. Owners review and tick off in the tool they already use for project work, and the completion rate per quarter is visible to the CISO without a separate spreadsheet.

Pair with HubSpot

Flag prospect-trial access still open in HubSpot deals

Prospect-trial environments behind StrongDM grants get cross-checked with the matching HubSpot deal stage and close date. Sales ops and security see which trial grants are still standing on accounts that closed-lost or closed-won months ago, and the cleanup queue is a list of names rather than a calendar reminder nobody actions.

Pair with Exact Online

Reconcile per-resource access cost in Exact Online

Per-resource cost from cloud providers and SaaS subscriptions, joined to active StrongDM grant counts and recent session activity, lands next to the matching cost lines in Exact Online. Finance sees which paid-per-seat targets sit on a handful of dormant grants and which can be downgraded at renewal, instead of taking the vendor's per-seat number at face value.

Your existing tools

Your data lands in a warehouse. Your BI tools read from it.

You keep the reporting tool you already have. We connect it to the warehouse where your StrongDM data lives.

Power BI Microsoft

Fabric Microsoft

Snowflake Data warehouse

BigQuery Google

Tableau Visualisation

Excel Sheets & pivots

Three steps

From StrongDM to answers in three steps.

Connect securely

OAuth authentication. Read-only by default. We sign a DPA and your admin keeps the keys.

Land in your warehouse

Data flows into your warehouse on your schedule. Near real time or nightly, your call. You own the data.

Reporting, automation, AI

We build the first dashboard, workflow or AI feature with you, then hand over the keys. Or we stay on for ongoing delivery.

Two ways to work with us

Pick the track that fits how you work.

Track 01

Self-serve

We set up the foundation. Your team builds on top.

StrongDM connector configured and running
Warehouse set up in your cloud account
Clean access for your Power BI, Fabric or Tableau team
Documentation on what's in the data model
Sync monitoring so you're warned before reports break

Best fit Teams that already have a BI analyst or data engineer and want to own the build.

Track 02

Done for you

We build the whole thing, end to end.

Everything in Self-serve
Dashboards built to the questions your team actually asks
Automations between your systems
AI workflows scoped to real tasks your team runs
Custom apps where a dashboard does not cut it
Ongoing delivery at a pace that fits your team

Best fit Teams without in-house BI or dev capacity. You tell us what you need and we deliver it.

Before you book

Frequently asked questions.

Who owns the data?

You do. It lands in your warehouse, on your cloud account. We don't resell or aggregate it. If you stop working with us, the warehouse stays yours and keeps running.

How fresh is the data?

Near real time for most operational systems. For heavier sources we schedule hourly or nightly. You pick based on what the reports need.

Do I need a warehouse already?

No. If you don't have one, we help you pick one and set it up as part of the first delivery. Common starting points are Snowflake, Microsoft Fabric, or a small Postgres start.

Does the connector pull the full query log, or only grant and session metadata?

Both, with a configurable scope. The directory side covers users, roles, resources and grants from the SDM admin API. The activity side covers session events, command logs on shell resources and query logs on database resources. Query-log volume on a busy tenant is high, so the sync is incremental on the SDM cursor and we agree the raw-payload retention horizon per use case rather than holding every WHERE clause indefinitely. Aggregates and metadata stay long-term.

How does the StrongDM data line up with our Okta or Microsoft Entra ID directory?

StrongDM users carry the identity-provider subject from Okta, Microsoft Entra ID or Google Workspace, so the warehouse can join StrongDM grants and sessions to the same person record we already pull from the IdP connector. Group-based role assignment in StrongDM lines up with IdP groups too, which means dormant-grant analysis and joiner-mover-leaver lag can be reported per HR-record rather than per StrongDM user-id only.

What changes for the connector now that Delinea has acquired StrongDM?

Delinea closed its acquisition of StrongDM in March 2026, and StrongDM continues to ship its own product and admin API for now. Our connector targets the StrongDM admin API directly, so day-to-day extraction is unchanged. We track the public roadmap for any product or API consolidation Delinea announces and adjust extraction shape if it ships, with the warehouse model isolated so reporting and automations on top of the data do not break in the meantime.

GDPR-compliant

Data stays in the EU

You own the warehouse

A first deliverable live in four to six weeks.

We review your StrongDM setup and the systems around it. Together we pick the first thing worth building.

Book a call See our other connectors