Skip to main content
Version: v4.9

Approvals and managing user access requests

Cyral's just-in-time approvals allow data users to request access to a repository, get an approval from an administrator, and connect to the repository for the approved amount of time.

Administrators (we call them "approvers" in this context) manage and view approval requests in the Approvals tab of each repository.

Approvals override access rules

Approvals in Cyral are a just-in-time alternative to access rules, which are your standing rules that determine which SSO users will use which database accounts.

As such, a granted approval (when the user is granted access after submitting a request via the Cyral app in Slack or via the Cyral access portal) always overrides the repository's applicable access rules.

For details, see How Cyral authorizes a user to connect to a repository.

Revoked and expired approvals

Once a user's approval expires or is revoked, the repository's applicable access rule (if any) will once again determine the user's access. Based on the evaluation, the user's connection may be terminated (because it has become unauthorized) or may continue based on an access rule that applies. Cyral also re-evaluates the policy that governs the user's access, so if the newly matched access rule uses a group name, then that group name will be used for policy evaluation.

FAQ

  • Who can request access?

    Approval-based access is available for SSO-authenticated users.

  • Does every request have to be reviewed by an admin?

    No. You have the option to designate that requests for certain resources and from certain people or groups will be approved automatically, without the need for an approver.

  • How does this work if the user already has a Cyral access rule for the repo?

    Approvals are an alternative to access rules. They allow your administrators -- acting as approvers -- to make access decisions on the fly, rather than having to map SSO users before they connect.

    If a user requests access and is approved, the approval takes precedence over any existing access rules. Once the approval expires, the user's existing access rules work as usual.

  • Do I need to install other apps to let my users submit requests?

    No. While approval-based access works best with request-and-approval apps like the Cyral chatops in Slack, you can also use this feature entirely through the Cyral user interfaces. Just use have your data users submit requests in the Cyral Access Portal, and have your approvers use the Approvals tab in the Cyral control plane UI.

  • Can I build my own app to let my users submit requests?

    Yes! Check out the Requests and approvals application developer guide

Approve or reject a request

  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the Approvals tab.

  2. If there are requests waiting for approval, they will appear as the first section of this tab, Pending Approval Requests.

    To quickly find the request you want, use the Search field to provide a search term to narrow the set of reqests displayed.

  3. Click the View link of the request you wish to review.

  4. Review the request including the requested Access starts on and Access ends on times, and click Grant to approve it, or Reject to deny it.

  5. In the pop-up window, you can optionally type a comment stating the Reasoning for your decision. Click Grant or Reject again to complete the action. If your organization has set up a requests-and-approvals app such as the Cyral app for Slack, then the requesting user will be notified.

Revoke an approved request

  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the Approvals tab. The list of recently granted approvals appears in the Granted Approvals section.

    If needed, filter the list of granted approvals by typing a search term and clicking the Filter button.

  2. Click on the approval you wish to revoke.

  3. The approval and its history appear. Click the Revoke button in the upper right.

  4. In the pop-up window, you can optionally type a comment stating the Reasoning for your decision. Click Revoke again to complete the action. If your organization has set up a requests-and-approvals app such as the Cyral app for Slack, then the requesting user will be notified.

    The user's current session, if any, will be interrupted. They will not be able to log in again using the approval you revoked. If they have an existing access rule that grants access, that access rule will remain in effect, granting them access.

View all requests and approvals

  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the Approvals tab. The list of recently granted approvals appears in the Granted Approvals section.

  2. Filter the list of granted approvals by typing a search term and clicking the Filter button.