Data sources & SQL safety
Connecting a database lets Edmund answer from your operational data — but it runs the queries it writes, so the user it connects with must be read-only.
Administrator / expert userEdmund writes SQL to answer your questions and runs it against the database you connect — without checking that the statement is safe. A generated query could in principle change or delete data (for example a DELETE or DROP). So you must connect with a database user that can only read — a SELECT-only account. That single choice contains the blast radius: even a bad query can read, but never harm, your data.
A data source is a live connection to an operational database, scoped to one project. With it, Edmund can answer about current and historical values — counts, trends, the last reading on a tag — instead of only what’s written in documents. Set up the read-only user first, then connect.
Create a read-only database user
Make a dedicated user that can read the specific data you want Edmund to query, and nothing else. How you do that depends on the engine — there is no single command that works everywhere.
| Engine | How to make it read-only |
|---|---|
| PostgreSQL / Microsoft SQL Server / Oracle Database | Create a dedicated user and GRANT SELECT on only the schema or tables you want Edmund to query. Grant nothing that can write. |
| InfluxDB | Issue a read-only token (authorization) limited to the bucket or database Edmund should read. |
| Snowflake | Create a role granted only USAGE + SELECT on the warehouse, database and schema, then assign that role to the connecting user. |
Example: PostgreSQL
A minimal read-only login for one schema. Replace the names, password and schema to match your database.
CREATE ROLE edmund_ro LOGIN PASSWORD 'choose-a-strong-password';
GRANT CONNECT ON DATABASE plant_db TO edmund_ro;
GRANT USAGE ON SCHEMA maintenance TO edmund_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA maintenance TO edmund_ro;
-- so future tables in this schema are readable too:
ALTER DEFAULT PRIVILEGES IN SCHEMA maintenance
GRANT SELECT TO edmund_ro;
Grant access to only the schema or tables Edmund actually needs. The narrower the user’s reach, the less there is to read by mistake — and the easier it is to reason about what Edmund can see.
Connect the data source
Which engines appear depends on your organization’s feature flags. Once your read-only user exists, connect it inside the project.
Open the project the database belongs to.
Go to Data sources and click Add data source.
Pick the engine: PostgreSQL, Microsoft SQL Server, Oracle Database, InfluxDB or Snowflake.
Fill in the connection form: Connection name, Host URL, Database name, Schema (optional), Username and Password. Use the read-only user’s credentials here.
Save the connection. Edmund can now answer questions in this project from the connected data.
To cut Edmund off from the database, disable or drop the read-only user in your database. Because access runs through that one account, removing it stops all queries from this connection.