Skip to main content
Version: v4.1


With Cyral, you create policies that limit how your organization's data can be acted on by people and applications. Your policies enforce user-aware rules that can:

When a user attempts to operate on data that you've labeled as sensitive, Cyral finds the policy rules that apply to the user, evaluates them, and applies the policy enforcement actions prescribed by the rules.

Every user query generates a log entry showing which policy rules were triggered.

Which users and which data does a policy cover?

A Cyral policy applies to the users specified in your policy rules, and it applies to the data locations specified in your repository's Data Map and referenced in a policy rule.

Which users?

Upon login, Cyral authenticates the user's SSO identity or their identity as a direct user of the repository. When a user attempts to operate on data, Cyral checks the policy to find the rule that applies to that authenticated user, either based on their username or the name of the SSO user group they belong to. If no rule is found for the user, then the default rule, if any, will apply.

Which data?

To protect data with Cyral, you'll use data labels, tags, or a combination of both to identify the data locations you want to protect. We refer to this as identifying sensitive data. To identify a data location as sensitive, you'll add a data label or tag to it in a Data Map.

For example, the column credit_card in table orders in schema customers (specified as customers.orders.credit_card) might get a data label CCN and multiple tags such as PCI, PII.