Sample policy

Interpreting the sample policy

Here we show the same sample policy we used earlier, when we explained the structure of a policy. This policy manages the data labels, EMAIL, CCN, and SSN, which map to email, credit card number, and social security number data located in repositories claims and loans as defined in the Data Map.

note

For an introduction that shows how Cyral finds the right rule for a data access request, see Policy evaluation.

Based on the rules specified in this policy,

• Users belonging to the user group analyst are allowed to read up to 10 rows at a time from any of the data locations covered by this policy, update 1 row at a time of EMAIL or CCN data, and delete 1 row at a time from any of the data locations covered by this policy.

• As an exception, the user bob can read any amount of rows for any of the covered data locations, update any number of rows in EMAIL or CCN, and delete any number of records from any of the locations covered by this policy, but he can do this only when connected from a machine with the address 192.0.2.22 or with an address in the range of the subnet 203.0.113.16/28.

• All other users (those who are not bob nor belonging to the group analysts) can read 1 row of EMAIL at a time. Any other access to the data locations EMAIL, CCN, and SSN is disallowed.

data:
  - EMAIL
  - CCN
  - SSN
rules:
  - identities:
      groups: [analyst]
    reads:
      - data: any
        rows: 10
    updates:
      - data: [EMAIL, CCN]
        rows: 1
        severity: medium
    deletes:
      - data: any
        rows: 1
        severity: medium
  - identities:
      users: [bob]
    hosts: [192.0.2.22, 203.0.113.16/28]
    reads:
      - data: any
        rows: any
    updates:
      - data: [EMAIL, CCN]
        rows: any
    deletes:
      - data: any
        rows: any
  - reads:
      - data: [EMAIL]
        rows: 1

To learn more, see the sample policy use cases.