Skip to main content
Version: v4.11

Policy framework

With Cyral, you create policies that limit how your organization's data can be acted on by people and applications. Your policies enforce user-aware rules that can:

When a user attempts to operate on data that you've labeled as sensitive, Cyral finds the policy rules that apply to the user, evaluates them, and applies the policy enforcement actions prescribed by the rules.

Every user query generates a log entry showing which policies were violated.

There are three ways to create policies:

  • Enable Cyral repo-level policies for common use cases from the Policies tab in the Repository Details page.
  • Create Cyral global policies as explained in Global policies.
  • Create custom Rego policies (advanced).

Which users and which data does a policy cover?

A Cyral policy applies to the users specified in the policy (specified for a repo-level policy in the Policy tab of the repository or for a global policy in a policy rule), and each policy applies to the data locations specified in your repository's Data Map and referenced in the policy.

Which users?

Upon login, Cyral authenticates the user's SSO identity or their identity as a direct user of the repository. When a user attempts to operate on data, Cyral checks the policy to find the rule that applies to that authenticated user, either based on their username or the name of the SSO user group they belong to. If no rule is found for the user, then the default rule, if any, will apply.

Which data?

To protect data with Cyral, you'll use data labels, tags, or a combination of both to identify the data locations you want to protect. We refer to this as identifying sensitive data. To identify a data location as sensitive, you'll add a data label or tag to it in a Data Map.

For example, the column credit_card in table orders in schema customers (specified as customers.orders.credit_card) might get a data label CCN and multiple tags such as PCI, PII.