Skip to main content
Version: v4.13

Policy Evaluation

How does Cyral evaluate a policy?

When a data user submits a query, Cyral evaluates your repo-level policies, global policies, and Rego policies to determine what data they can see, and what they can do with data at the requested location.

Policy evaluation begins by collecting all the policies that are applicable to the incoming request. Note that more than one policy may apply to the same request.

When this happens, each applicable policy may result in a different outcome. That is, each policy may impose different policy enforcement actions on the query execution. For example, two policies might match for a query, each applying its own, unique row limit. Cyral resolves these policy conflicts using the rules of least privilege, as follows:

  • If any policy blocks the query, the query will be blocked.

  • The final row limit for the query is the smallest row limit required by any of the applied policies.

  • The final rate limit for any data label is the minimum rate limit required by any of the applied policies for the data label or any of its associated tags.

  • If the same attribute is required to be masked in different ways, the least information-revealing method will be chosen. The order of precedence (highest to lowest) is: null mask, constant mask, random (format-preserving) mask. Note that if two policies both suggest a constant mask but with different constant values, one of them will be arbitrarily chosen.

  • If the same dataset is required to be differently rewritten by different policies, an arbitrary substitution will be chosen from among these.

For a guided tour showing how Cyral evaluates a policy at query time, see Interpreting the sample policy.