Skip to main content
Version: v2.x

Policy guide

With Cyral, you create policies that limit how your organization's data can be acted on by people and applications. With a policy in place, you can use it to block access (preventing users from violating your policy) and/or generate a log entry when a user violates the policy.

Your Cyral policies consist of:

  • a Data Map that specifies data fields to be protected
  • one or more policies that contain the rules specifying how the data can be accessed.

The Data Maps and policies are expressed in YAML, as shown in the samples below.

Sample Data Maps:

Data map for the claims repo:

CCN:
    attributes:
      - finance.customers.ccn
EMAIL:
    attributes:
      - finance.customers.email
SSN:
    attributes:
      - finance.customers.ssn

Data map for the loans repo:

CCN:
    attributes:
      - applications.customers.credit_card_number
EMAIL:
    attributes:
      - applications.customers.email
SSN:
    attributes:
      - applications.customers.social_security_number

Sample policy:

data:
  - EMAIL
  - CCN
  - SSN
rules:
  - identities:
      groups: [analyst]
    reads:
      - data: any
        rows: 10
    updates:
      - data: [EMAIL, CCN]
        rows: 1
        severity: medium
    deletes:
      - data: any
        rows: 1
        severity: medium
  - identities:
      users: [bob]
    hosts: [192.0.2.22, 203.0.113.16/28]
    reads:
      - data: any
        rows: any
    updates:
      - data: [EMAIL, CCN]
        rows: any
    deletes:
      - data: any
        rows: any
  - reads:
      - data: [EMAIL]
        rows: 1

Next, we explain the Data Map and policies structures and their fields, and we finish with a full interpretation of the sample policy.