Skip to content
Breeze RMM

Database Schema

Schema Location

Section titled “Schema Location”

All Drizzle ORM schema definitions are in apps/api/src/db/schema/.

Core Tables

Section titled “Core Tables”

Devices

Section titled “Devices”

The central table for managed endpoints:

ColumnTypeDescription
idUUIDPrimary key
orgIdUUIDFK → organizations
siteIdUUIDFK → sites
agentIdvarchar(64)Unique agent identifier
agentTokenHashvarchar(64)SHA-256 hash of the main agent bearer token (nullable for pre-migration devices)
watchdogTokenHashvarchar(64)SHA-256 hash of the companion watchdog token
helperTokenHashvarchar(64)SHA-256 hash of the user-helper token
agentTokenSuspendedAttimestampSet when the agent token is auto-suspended (e.g. cross-tenant access attempt). Re-enrollment is blocked until cleared.
agentTokenSuspendedReasonvarchar(255)Reason recorded alongside agentTokenSuspendedAt.
hostnamevarchar(255)Device hostname
displayNamevarchar(255)Optional display name (editable inline from the device detail page)
osTypeenumwindows, macos, linux
osVersionvarchar(100)OS version string
osBuildvarchar(100)OS build identifier (optional)
architecturevarchar(20)CPU architecture (e.g. amd64, arm64)
agentVersionvarchar(20)Installed agent version
statusenumonline, offline, maintenance, updating, pending, decommissioned, quarantined
lastSeenAttimestampLast telemetry received
lastSeenIpinetSource IP recorded on the most recent heartbeat; changes raise an agent.source.ip.changed audit event.
mainAgentSilentSincetimestampSet by the server when the main agent stops heartbeating but the watchdog is still online. Cleared when the agent resumes.
watchdogStatusenumconnected, failover, offline — last reported watchdog state.
watchdogLastSeenAttimestampLast watchdog check-in.
watchdogVersionvarchar(20)Installed watchdog binary version.
enrolledAttimestampWhen the device was enrolled
enrolledByUUIDFK → users (who initiated enrollment)
tagstext[]Array of string tags
mtlsCertSerialNumbervarchar(128)Cloudflare mTLS cert serial (optional)
mtlsCertExpiresAttimestampmTLS cert expiry (optional)
mtlsCertIssuedAttimestampmTLS cert issue date (optional)
mtlsCertCfIdvarchar(128)Cloudflare cert ID (optional)
quarantinedAttimestampWhen device was quarantined (optional)
quarantinedReasonvarchar(255)Reason for quarantine (optional)
createdAttimestampRow creation time
updatedAttimestampLast update time
Section titled “Related Tables”
TableDescription
deviceHardwareCPU model, cores, RAM, disk, GPU, serial number, manufacturer
deviceNetworkInterfacesNetwork interfaces with MAC, IP, type, primary flag, public IP
deviceDisksMount points, filesystem type, capacity, health
deviceTelemetryTime-series CPU, RAM, disk, network, process count
deviceSoftwareInstalled applications with version, publisher, install location
deviceRegistryEntriesWindows registry snapshots
deviceConfigEntriesConfiguration file key-value pairs
deviceNetworkConnectionsActive TCP/UDP connections with process info
deviceGroupsStatic and dynamic device groups with filter rules
deviceGroupMembershipsMany-to-many device ↔ group mapping
deviceCommandsCommand queue (pending, completed, failed)
elevationRequestsPrivileged-action mode (PAM) elevation requests awaiting approval
elevationAuditImmutable audit trail of elevation approve/deny/expire decisions
refreshTokenFamiliesRefresh-token lineage for reuse-detection (RFC 9700 §4.13.2)

Organizations

Section titled “Organizations”
partners (MSP)
  └── organizations (customer)
        └── sites (location)
              └── device_groups
                    └── devices

Users & RBAC

Section titled “Users & RBAC”
TablePurpose
usersUser accounts with email, password hash, MFA status
rolesRole definitions (Partner Admin, Technician, Viewer, etc.)
permissionsResource + action pairs (e.g., devices:read)
rolePermissionsMaps roles to permissions
partnerUsersMaps users to partners with roles

Default Roles

Section titled “Default Roles”

Seeded by pnpm db:seed:

RoleScopePermissions
Partner Adminpartner*:* (full access)
Partner TechnicianpartnerRead + execute on devices, scripts, alerts
Partner ViewerpartnerRead-only
Org AdminorganizationFull access within org
Org UserorganizationRead + limited write

Schema Management

Section titled “Schema Management”
Terminal window
# Push schema changes (development)
pnpm db:push


# Run migrations (production)
pnpm db:migrate


# Seed default roles, permissions, templates
pnpm db:seed


# Open Drizzle Studio (visual schema browser)
pnpm db:studio

Inspecting the Database

Section titled “Inspecting the Database”
Terminal window
# Connect to the database
docker compose -f docker/docker-compose.prod.yml exec postgres \
  psql -U breeze -d breeze


# List tables
\dt


# Describe a table
\d devices


# Count devices
SELECT count(*) FROM devices;