Advanced repo settings
To set advanced communications, logging, analysis, and alerting options for a repository, go to Data Repos, then find and click on the name of your repository, and click the Advanced tab.
Authentication
Identity Provider
Specifies how users will authenticate with this repository.
- None (default): Use the repository's native authentication
- {IDENTITY_PROVIDER}: Select an identity provider you've integrated in Cyral to enable SSO authentication for your repository
- Allow native authentication: Enable authentication using both
native credentials as well as SSO credentials. When this is
enabled, users authenticating through SSO are required to include
an
:idp
prefix as described here
- Allow native authentication: Enable authentication using both
native credentials as well as SSO credentials. When this is
enabled, users authenticating through SSO are required to include
an
Client TLS
Specifies whether the sidecar will require TLS communication with clients.
- Disable: Do not require clients to use TLS
- Enable: Require clients to use TLS
- Enable and verify certificate: Require clients to use TLS and present a valid certificate
Repository TLS
Specifies whether the sidecar will communicate with the repository using TLS.
- Disable: Do not use TLS with repo
- Enable: Use TLS with repo
- Enable and verify certificate: Use TLS with repo and verify the repo's certificate
Logs
Redact literal values
When checked, data that might reveal the contents of your database is
not included in the logs. For example, a log entry for a statement
with a WHERE clause will not include the literal values the user
provided in the WHERE clause. Each such value will be replaced with
the string, ${cyral-redact}
.
tip
You can also choose to redact only values from those fields you've set up for tracking in your data map. We call this partial redaction. To set it up, see Redacting the contents of a specific column or table from the Cyral logs
Enhance database logs
When checked, Cyral inserts the user's session data as a comment in each query so that it appears in your native database logs.
This feature provides a database-native supplement to the more complete Cyral query logs you've configured in the Log Settings panel for the repository. With this feature active, the user's identifying information will appear as comments in each query. For the person who ran the query, this shows:
- username (usually the SSO username)
- email address
- group membership
- repository username (local or native account on the repository)
- repository role (user’s native role on the repository)
These values will also appear in the identity
block of your Cyral
query logs, if this repository is set to log Data activity.
Optionally, you can add the contents of the repo
, client
, and/or
sidecar
logging blocks as query comments, as well. To set this up,
use the Cyral API. See Logging additional data as comments on a query.
Alerts
Alert on policy violations
When an action violates a Cyral policy, an alert is sent via your configured messaging platform. This requires a Cyral policy. If you have no policies, use preconfigured alerts, instead.
Enable preconfigured alerts
Preconfigured alerts don't rely on Cyral policies. Instead, they're triggered by common DDL, and other significant actions on your data repository, such as; creating, modifying or deleting an object; creating user account or role; modifying a user account, authentication mechanism, object, or role; granting/revoking user or role privileges; modifying database-native audit and logging settings or configuration; running a privileged command; or running a full table scan.
Analysis
Perform filter analysis
When a database query performs a filter on the requested data, usually using a WHERE clause, Cyral captures the filter being applied and emits this information in the query log, where it can be consumed by the Cyral policy evaluator, dashboards, and your team.
Enforcement
Block on violations
For a given session, Cyral blocks any attempted action that would violate your policy. After an action is blocked, the user’s session continues normally.
Rewrite queries on violations
Rewrite queries upon policy violations based on the rewrite rules specified in the applicable Cyral policies.
Tags
You can add one or more tags to a repository to make it easier to find in the Cyral control plane UI and the Cyral Access Portal.
- Click Data Repos ➡️ click your repo's name
- Click the ✏️ (pencil) icon in the upper right.
- In the Add Tags field, type the tag. Press
<Enter>
or the spacebar to complete the entry of each tag, and add more tags as needed.- To make the tag visible in the Cyral Access Portal, make
sure the tag's name starts with
public:
followed directly by the tag name, without spaces. For example, to show the tag ny-study-3 in the Access Portal, you would type the tag aspublic:ny-study-3
. - To remove a tag, click its
x
symbol.
- To make the tag visible in the Cyral Access Portal, make
sure the tag's name starts with
- Click Save.
See also
To check and specify sidecar services for your repository, see Manage sidecar services for repositories.