Skip to main content
Version: v4.13

Access rules for users and groups

To give an SSO user access to a repository, you will map that user (or an SSO group that they belong to) to a database account. These mappings are provided by access rules in Cyral. Each access rule is an identity mapping of an SSO user or group to a database account. For example, SSO user Frank Hardy might map to a local account — a PostgreSQL user — called analyst.

Access rules also allow you to specify conditions for and limits on users' repository connections. These can include:

  • a start and end time that specify when the access rule is valid;
  • requiring the user to complete multi-factor (MFA) token authentication; and/or
  • limiting access to the hours when the employee is on-call.

Cyral also offers just-in-time approvals as an alternative to access rules. If a user has an active approval for the repository, the approval overrides access rules until the approval expires. For more details, see How Cyral authorizes a user to connect to a repository.

When multiple database accounts are available for a user

Each access rule maps an SSO user (or group) to a specific database account. If multiple access rules match for an SSO user, that can mean multiple database accounts are available for that SSO user.

If you've set up multiple access rules for an SSO user in this way, then, when connecting, the user must specify both their SSO username and their preferred database account name in their connection string. This usually follows the format, {SSO_USER}:{LOCAL_ACCOUNT}, as explained in the SSO connection syntax section.

If the the database account name is missing, Cyral denies access because the request is ambiguous.

Access rule expirations and updates

If you or another administrator edits an access rule, or if the access rule expires, this can affect users who are currently connected based on that access rule. In such cases, Cyral performs the access rule evaluation again.

Based on the evaluation, the user's connection may be terminated (because it has become unauthorized) or may continue based on an access rule that applies. Cyral also re-evaluates the Cyral policy that governs the user's data access, so if the newly matched access rule uses a different group name, then the group used for policy evaluation will change.

Add an access rule


Before you add an access rule, make sure you've completed these steps:


  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the Access Rules tab.

  2. Click the name of the database account you will map, or create one now.

  3. Click Add rule.

  4. Choose SSO Group or SSO User to specify the type of SSO identities this rule applies to.

  5. In the text entry field, do one of:

    • For SSO users: choose Email or User Id and type the corresponding value as stored in your identity provider (IdP).

    • For SSO groups, type the SSO group name as stored in your IdP.


Please note that for Azure AD, you'll specify the SSO group by its Object ID which you'll find in the Groups panel of your Azure management console.

  1. In the When is this access permitted? section, choose one of:

    • Always to create a mapping that will not expire automatically; or
    • Specify Duration and set a start and end time to set a length of validity for this user's or group's access,
  2. To enforce an on-call access restriction (each user's access grant remains open only during their on-call rotation), follow these steps:


To enforce on-call schedules, you mist set up an on-call schedule in your incident management system, like PagerDuty, and you must connect your incident management system to Cyral

  1. To require multi-factor authentication, follow these steps:

    • Open the Additional Access Restrictions section.
    • Choose the name of the multifactor-authentication system integration you saved in Cyral. For setup details, see Multi-factor authentication with Duo.
  2. Click Add Rule to save the identity mapping and rule.

With the rule saved, SSO users who match it can connect to the repository using their SSO credentials. To initiate the connection, they must begin at the Cyral Access Portal.


As an administrator, you can validate the configuration by creating a local account mapping for yourself, then navigating to your access portal by clicking the Data Access Portal button at the top right of your management console.

Next step


Did you know that your users can quickly request and get access to a repository, just by chatting with the Cyral bot in Slack? See how to set it up now.

Learn more