Skip to main content

Policy guide

With Cyral, you create policies that limit how your organization's data can be acted on by people and applications. With a policy in place, you can use it to block access (preventing users from violating your policy) and/or generate a log entry when a user violates the policy.

Your Cyral policies consist of:

  • a Data Map that specifies data fields to be protected
  • one or more policies that contain the rules specifying how the data can be accessed.

The Data Map and policies are expressed in YAML, as shown in the samples below.

Sample Data Map:

CCN:
- repo: claims
attributes: [finance.customers.ccn]
- repo: loans
attributes: [applications.customers.credit_card_number]
EMAIL:
- repo: claims
attributes: [finance.customers.email]
- repo: loans
attributes: [applications.customers.email]
SSN:
- repo: claims
attributes: [finance.customers.ssn]
- repo: loans
attributes: [applications.customers.social_security_number]

Sample policy:

data:
- EMAIL
- CCN
- SSN
rules:
- identities:
groups: [analyst]
reads:
- data: any
rows: 10
updates:
- data: [EMAIL, CCN]
rows: 1
severity: medium
deletes:
- data: any
rows: 1
severity: medium
- identities:
users: [bob]
hosts: [192.0.2.22, 203.0.113.16/28]
reads:
- data: any
rows: any
updates:
- data: [EMAIL, CCN]
rows: any
deletes:
- data: any
rows: any
- reads:
- data: [EMAIL]
rows: 1

Next, we explain the Data Map and policies structures and their fields, and we finish with a full interpretation of the sample policy.