Manage repo-level policies
The Policies tab in the Data Repository Details page allows you to view and manage repo-level policies for a given data repository. Click on a policy to view its details. From here you can enable, disable, edit, or delete the policy by clicking Configure. Click the Add policy button to create a repo-level policy.
Repo-level policy types
The policy wizard allows you to create the following types of policies. Below, we explain the parameters you must set to define a policy of each type.
Data Masking
Mask fields for specific users and applications.
- Specify the type of mask, such as a null mask, constant mask, or format-preserving mask. See mask types for help.
- In the Data Labels section, specify the data labels this policy applies to, and click Next.
- In the Who this policy applies to panel, choose the SSO users and/or database users this policy will cover. See Specify who this policy applies to for details.
- Click Next.
- Click Add to save the policy.
Data Protection
Guard against unauthorized reads, updates, and deletes in specified fields in your database. You can choose whether this policy blocks the action or only sends an alert when the action occurs. This policy type has the parameters:
- In the Database Operations section, choose the types of actions this policy will apply to (reads, updates, and/or deletes)
- In the Data Labels section, specify the data labels this policy applies to, and click Next.
- In Policy Actions, specify:
- Alert to send an alert and allow the operation to proceed.
- Alert and Block to send an alert and block the operation.
- In the Who this policy applies to panel, choose the SSO users and/or database users this policy will cover. See Specify who this policy applies to for details.
- Click Next.
- Click Add to save the policy.
See also blocking access in global policies.
Data Firewall
A data firewall policy limits which records or rows users can read from a specific location (for example, a table) in your data repository. A data firewall policy applies to all users other than those you explicitly allow (exempt) in the policy.
- Choose the set of allowed (exempted) users in the Specify who can see restricted records panel. In the Specify exempt identities field, use the Add button to add user names or SSO group names of the people who will be exempted from this policy. These people will still be able to see the data unless blocked by another policy.
- Specify the Data Labels this policy applies to.
- In the Data Set field, specify the dataset or data location
that this policy applies to. This name is case insensitive.
- For most database types, this is a fully qualified table name
in the form
<schema>.<table>
- For Snowflake, this is a fully qualified table name
in the form
<database>.<schema>.<table>
- For most database types, this is a fully qualified table name
in the form
- In the Specify how records will be restricted panel, type an
expression that must evaluate to
TRUE
to trigger this policy. Records matching this expression will be blocked for everyone except the users exempted in this policy. Use the same syntax you'd use in aWHERE
clause.
User Segmentation
A user segmentation policy applies to a set of users you specify, and it limits which rows or records those users can read from a table or collection in your database.
- In the Specify who is limited to a subset of records panel,
choose the set of users whose query results will be limited by
this policy. You can either apply this policy to SSO users or to
native accounts on the database. Choose one of the following:
- To apply this policy to SSO users: Select the radio button for Specify which identities. In this section, use the Add button to add the user names or SSO group names of the people who will be covered by this policy. These people will be subject to the limits you add in the next screen.
- To apply this policy to native database accounts: Select the radio button for Specify which database accounts and use the Add button to add the usernames (for example, PostgreSQL or MySQL usernames).
- In the Specify when to apply this policy section, you'll list
the data locations this policy covers.
- Specify the Data Labels this policy applies to.
- In the Data Set field, specify the dataset or data location
that this policy applies to. This name is case insensitive.
- For most database types, this is a fully qualified table name
in the form
<schema>.<table>
- For Snowflake, this is a fully qualified table name
in the form
<database>.<schema>.<table>
- For most database types, this is a fully qualified table name
in the form
- In the Specify how records will be restricted panel, type an
expression that must evaluate to
TRUE
in order for the record or row to be blocked. Records matching this expression will be blocked for the users covered by this policy. Use the same syntax you'd use in aWHERE
clause.
Rate Limit
Implement threshold on sensitive data reads over a period of time. You can choose whether this policy blocks the action or only sends an alert when the action occurs. This policy type has the parameters:
- Type the Maximum number of rows that can be modified per query, and click Next.
- Specify the Data Labels this policy applies to.
- In Policy Actions, specify:
- Alert to send an alert and allow the operation to proceed.
- Alert and Block to send an alert and block the operation.
- In the Who this policy applies to panel, choose the SSO users and/or database users this policy will cover. See Specify who this policy applies to for details.
- Click Next.
- Click Add to save the policy.
See also blocking access in global policies.
Read Limit
Prevent certain records from being read beyond a specified limit. You can choose whether this policy blocks the action or only sends an alert when the action occurs. This policy type has the parameters:
- Type the Maximum number of rows that can be modified per query, and click Next.
- In Apply this policy to, specify:
- The entire repository to police queries (in the whole repository) surpassing the number of records.
- Specific data labels to specify the data labels this policy applies to.
- In Policy Actions, specify:
- Alert to send an alert and allow the operation to proceed.
- Alert and Block to send an alert and block the operation.
- In the Who this policy applies to panel, choose the SSO users and/or database users this policy will cover. See Specify who this policy applies to for details.
- Click Next.
- Click Add to save the policy.
See also blocking access in global policies.
Repository Protection
Alert when more than a specified number of records are being updated or deleted across the repo. This policy type has the parameters:
- In the Database Operations section, choose the types of actions this policy will apply to (updates, and/or deletes)
- Type the Maximum number of rows that can be modified per query, and click Next.
- In the Who this policy applies to panel, choose the SSO users and/or database users this policy will cover. See Specify who this policy applies to for details.
- Click Next.
- Click Add to save the policy.
Service Account Abuse
Ensure service accounts can only be used by intended applications. This policy type has the parameters:
- In the Specify which accounts to alert for panel, specify service accounts for which end user attribution is always required. See what is service account resolution for details.
- Click Next.
- Click Add to save the policy.
Create a repo-level policy
To add or manage a repo-level policy in the Cyral control plane UI, follow the steps below.
info
Things to keep in mind:
- Each repo-level policy applies to a single repository (for example, a specific database).
- If multiple policies (including Cyral global policy rules) apply to a given database operation, then the effect of all policies are composed to provide least-privilege access. See Policy evaluation for details.
Click Data Repos ➡️ your repository's name ➡️ Policies.
Click Add policy and choose a policy template from the list of supported policy types, such as Read limit or Rate limit.
In the Describe panel:
- Give your policy a name and optional description. This policy will be visible only within this repository's configuration.
- Optionally, you can add one or more Policy Type tags to the policy. To do this, type your tag name in the field below Policy Types and then click Add.
- Click Next.
In the Policy parameters screen, provide the settings as prompted.
- The types of policies and their required parameters are explained in Repo-level policy types, above.
- In the Data Labels field, specify whether this limit applies to this database as a whole, or only specific data labels. Leave this box empty to apply the policy to the whole database.
- Once you're finished, click Next.
In the Who this policy applies to panel, choose the SSO users and/or database users this policy will cover. See Specify who this policy applies to for details.
The UI will display a read-only summary of the newly configured policy. Click Add to add the policy.
Your policy is enabled by default, which means it takes effect immediately. To manage, disable, and enable your policy, use its card in the Policies panel.
Specify who this policy applies to
Use the Who this policy applies to panel to choose the people or groups a repo-level policy will affect.
In Cyral, users typically connect using their SSO user account, and this SSO user account usually maps to a database account. In the Specify who this policy applies to tab, you can specify which user accounts and database accounts this policy applies to. You can combine the logic shown on the screen in any way you like, such as, for example:
All identities with Any database accounts: Policy applies to everyone
All identities with Specific database accounts: Policy applies to every SSO user, provided that user is mapped to one of the database accounts you list here.
Specific identities with Any database accounts: Policy applies to the SSO users you specify, regardless of the database accounts they're mapped to.