Skip to main content
Version: v4.5

Policy evaluation

How does Cyral evaluate a policy?

When a data user submits a query, Cyral evaluates your policies to determine what data they can see, and what they can do with data at the requested location.

Policy evaluation begins by collecting all rules (across policies) that will be applicable. This depends on the identity of the user and the sensitive data accessed in the query. Note that multiple rules may apply for the same data location because rules may refer to that location by its data labels or by any of its tags. Further, because a query may access multiple sensitive data locations, multiple rules may apply.

When this happens, each applicable rule may result in a different outcome. That is, each rule may impose different policy enforcement actions on the query execution. For example, two rules might match for a query, each applying its own, unique row limit. Cyral resolves these rule conflicts using the rules of least privilege, as follows:

  • The final row limit for the query is the smallest row limit required by any of the applied rules.

  • The final rate limit for any data label is the minimum rate limit required by any of the applied rules for the data label or any of its associated tags.

  • If the same attribute is required to be masked in different ways, the least information-revealing method will be chosen. The order of precedence (highest to lowest) is: null mask, constant mask, random (format-preserving) mask. Note that if two rules both suggest a constant mask but with different constant values, one of them will be arbitrarily chosen.

  • If the same dataset is required to be differently rewritten by different rules, an arbitrary substitution will be chosen from among these.

For a guided tour showing how Cyral evaluates a policy at query time, see Interpreting the sample policy.