How Cyral authorizes a user to connect to a repository

When a user attempts to connect to a repository using a specific database account, after successful password (token) validation, Cyral follows the sequence below to determine whether to allow the user to connect. If the connection is not successfully authorized, it will be terminated.

1. If there is an active, granted approval for the user for the repository and database account, the connection is authorized on the basis of this approval.

2. Otherwise, the access rules for the account are considered in order until a rule matches (that is, this process stops when the first matching rule is found). To match, a rule must meet these conditions:

   • the rule must be currently active (based on its valid-from and valid-until range); and

   • the rule's identity value (username, email, or group) must match the user's SSO identity. (The user will have already authenticated through SSO.)

   If a matching rule is found, Cyral enforces its access conditions, if any. The access conditions can include:

   • a requirement for an active PagerDuty shift and/or

   • a requirement that the user completes a multifactor (MFA) authentication.

   The user's connection request is granted if all the conditions pass, or if there are no access conditions attached to the rule.

3. The connection attempt is rejected if no matching access rule is found.

After Cyral authorizes any connection using the sequence listed above, it applies your Cyral policy (if any) to determine which fields and data the user can see and use in the repository.