With Cyral, you create policies that limit how your organization's data can be acted on by people and applications. Your policies enforce user-aware rules that can:
- block access to a table or data location
- limit how many records are returned
- limit the speed at which records are returned
- filter or rewrite query results, and/or
- mask the contents of data fields.
When a user attempts to operate on data that you've labeled as sensitive, Cyral finds the policy rules that apply to the user, evaluates them, and applies the policy enforcement actions prescribed by the rules.
Every user query generates a log entry showing which policy rules were triggered.
Which users and which data does a policy cover?
A Cyral policy applies to the users specified in your policy rules, and it applies to the data locations specified in your repository's Data Map and referenced in a policy rule.
Upon login, Cyral authenticates the user's SSO identity or their identity as a direct user of the repository. When a user attempts to operate on data, Cyral checks the policy to find the rule that applies to that authenticated user, either based on their username or the name of the SSO user group they belong to. If no rule is found for the user, then the default rule, if any, will apply.
To protect data with Cyral, you'll use data labels, tags, or a combination of both to identify the data locations you want to protect. We refer to this as identifying sensitive data. To identify a data location as sensitive, you'll add a data label or tag to it in a Data Map.
For example, the column
credit_card in table
orders in schema
customers (specified as
customers.orders.credit_card) might get a data label
CCN and multiple tags such as