Skip to content

Commit

Permalink
Adjust writing and style
Browse files Browse the repository at this point in the history
  • Loading branch information
wcmjunior committed Jan 18, 2024
1 parent dca4e58 commit e65258f
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 86 deletions.
127 changes: 63 additions & 64 deletions docs/guides/repo_level_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,44 +13,40 @@ We recommend further reading for more details:
resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
and how to use the pre-built repo-level policies in Terraform.

## Dataset Protection policy

-> **Note** The Dataset Protection policy template is only enabled by default in control planes
`v4.13` and later. If you have a previous version, please reach out to our customer success
team to enable it.
## Data Firewall policy

Add a Dataset Protection policy to restrict access to
specific tables or schemas in the data repositories:
Limit which rows users can read from a table:

```terraform
# Creates pg data repository
# Creates MySQL data repository
resource "cyral_repository" "repo" {
type = "postgresql"
name = "my_pg"
type = "mysql"
name = "my_mysql"
repo_node {
host = "pg.cyral.com"
port = 5432
host = "mysql.cyral.com"
port = 3306
}
}
# create policy instance from template
resource "cyral_rego_policy_instance" "policy" {
name = "dataset-protection"
name = "data-firewall-policy"
category = "SECURITY"
description = "Blocks reads and updates over schema 'finance' and dataset 'cyral.customers'."
template_id = "dataset-protection"
parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}"
description = "Filter 'finance.cards' when someone (except 'Admin' group) reads it"
template_id = "data-firewall"
parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
enabled = true
scope {
repo_ids = [cyral_repository.repo.id]
}
tags = ["tag1", "tag2"]
}
```

## Data Masking policy

Implement a repo-level policy to mask fields for specific users:
Mask fields for specific users:

```terraform
# Creates MySQL data repository
Expand Down Expand Up @@ -81,7 +77,7 @@ resource "cyral_rego_policy_instance" "policy" {

## Data Protection policy

Add a repo-level policy to guard against unauthorized updates:
Protect against unauthorized updates:

```terraform
# Creates MySQL data repository
Expand Down Expand Up @@ -110,71 +106,43 @@ resource "cyral_rego_policy_instance" "policy" {
}
```

## Data Firewall policy

Set up a repo-level policy to limit which rows users can read from a table:

```terraform
# Creates MySQL data repository
resource "cyral_repository" "repo" {
type = "mysql"
name = "my_mysql"
repo_node {
host = "mysql.cyral.com"
port = 3306
}
}
# create policy instance from template
resource "cyral_rego_policy_instance" "policy" {
name = "data-firewall-policy"
category = "SECURITY"
description = "Filter 'finance.cards' when someone (except 'Admin' group) reads it"
template_id = "data-firewall"
parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
enabled = true
scope {
repo_ids = [cyral_repository.repo.id]
}
tags = ["tag1", "tag2"]
}
```
## Dataset Protection policy

## User Segmentation policy
-> **Note** The Dataset Protection policy template is only enabled by default in control planes
`v4.13` and later. If you have a previous version, please reach out to our customer success
team to enable it.

Implement a repo-level policy to limit which rows a set of users can read from your database:
Restrict access to specific tables or schemas in the data repositories:

```terraform
# Creates MySQL data repository
# Creates pg data repository
resource "cyral_repository" "repo" {
type = "mysql"
name = "my_mysql"
type = "postgresql"
name = "my_pg"
repo_node {
host = "mysql.cyral.com"
port = 3306
host = "pg.cyral.com"
port = 5432
}
}
# create policy instance from template
resource "cyral_rego_policy_instance" "policy" {
name = "user-segmentation-policy"
name = "dataset-protection"
category = "SECURITY"
description = "Applies a data filter in 'finance.cards' when someone from group 'Marketing' reads data labeled as 'CCN'"
template_id = "user-segmentation"
parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
description = "Blocks reads and updates over schema 'finance' and dataset 'cyral.customers'."
template_id = "dataset-protection"
parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}"
enabled = true
scope {
repo_ids = [cyral_repository.repo.id]
}
tags = ["tag1", "tag2"]
}
```

## Rate Limit policy

Add a repo-level policy to implement a threshold on sensitive data reads over time:
Set up a threshold on sensitive data reads over time:

```terraform
# Creates pg data repository
Expand Down Expand Up @@ -205,7 +173,7 @@ resource "cyral_rego_policy_instance" "policy" {

## Read Limit policy

Implement a repo-level policy to prevent certain records from being read beyond a specified limit:
Prevent certain records from being read beyond a specified limit:

```terraform
# Creates pg data repository
Expand Down Expand Up @@ -235,7 +203,7 @@ resource "cyral_rego_policy_instance" "policy" {

## Repository Protection policy

Set up a repo-level policy to alert when more than a specified number of records are updated or deleted:
Alert when more than a specified number of records are updated or deleted:

```terraform
# Creates MySQL data repository
Expand Down Expand Up @@ -265,7 +233,7 @@ resource "cyral_rego_policy_instance" "policy" {

## Service Account Abuse policy

Implement a repo-level policy to ensure service accounts can only be used by intended applications:
Ensure service accounts can only be used by intended applications:

```terraform
# Creates pg data repository
Expand All @@ -292,3 +260,34 @@ resource "cyral_rego_policy_instance" "policy" {
}
}
```

## User Segmentation policy

Limit which rows a set of users can read from your database:

```terraform
# Creates MySQL data repository
resource "cyral_repository" "repo" {
type = "mysql"
name = "my_mysql"
repo_node {
host = "mysql.cyral.com"
port = 3306
}
}
# create policy instance from template
resource "cyral_rego_policy_instance" "policy" {
name = "user-segmentation-policy"
category = "SECURITY"
description = "Applies a data filter in 'finance.cards' when someone from group 'Marketing' reads data labeled as 'CCN'"
template_id = "user-segmentation"
parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
enabled = true
scope {
repo_ids = [cyral_repository.repo.id]
}
tags = ["tag1", "tag2"]
}
```
43 changes: 21 additions & 22 deletions templates/guides/repo_level_policy.md.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -13,61 +13,60 @@ docs for a complete documentation about the Cyral policy framework.
resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
and how to use the pre-built repo-level policies in Terraform.

## Dataset Protection policy

-> **Note** The Dataset Protection policy template is only enabled by default in control planes
`v4.13` and later. If you have a previous version, please reach out to our customer success
team to enable it.
## Data Firewall policy

Add a Dataset Protection policy to restrict access to
specific tables or schemas in the data repositories:
Limit which rows users can read from a table:

{{ tffile "examples/guides/repo_level_policy_dataset_protection.tf" }}
{{ tffile "examples/guides/repo_level_policy_data_firewall.tf" }}

## Data Masking policy

Implement a repo-level policy to mask fields for specific users:
Mask fields for specific users:

{{ tffile "examples/guides/repo_level_policy_data_masking.tf" }}

## Data Protection policy

Add a repo-level policy to guard against unauthorized updates:
Protect against unauthorized updates:

{{ tffile "examples/guides/repo_level_policy_data_protection.tf" }}

## Data Firewall policy

Set up a repo-level policy to limit which rows users can read from a table:

{{ tffile "examples/guides/repo_level_policy_data_firewall.tf" }}
## Dataset Protection policy

## User Segmentation policy
-> **Note** The Dataset Protection policy template is only enabled by default in control planes
`v4.13` and later. If you have a previous version, please reach out to our customer success
team to enable it.

Implement a repo-level policy to limit which rows a set of users can read from your database:
Restrict access to specific tables or schemas in the data repositories:

{{ tffile "examples/guides/repo_level_policy_user_segmentation.tf" }}
{{ tffile "examples/guides/repo_level_policy_dataset_protection.tf" }}

## Rate Limit policy

Add a repo-level policy to implement a threshold on sensitive data reads over time:
Set up a threshold on sensitive data reads over time:

{{ tffile "examples/guides/repo_level_policy_rate_limit.tf" }}

## Read Limit policy

Implement a repo-level policy to prevent certain records from being read beyond a specified limit:
Prevent certain records from being read beyond a specified limit:

{{ tffile "examples/guides/repo_level_policy_read_limit.tf" }}

## Repository Protection policy

Set up a repo-level policy to alert when more than a specified number of records are updated or deleted:
Alert when more than a specified number of records are updated or deleted:

{{ tffile "examples/guides/repo_level_policy_repository_protection.tf" }}

## Service Account Abuse policy

Implement a repo-level policy to ensure service accounts can only be used by intended applications:
Ensure service accounts can only be used by intended applications:

{{ tffile "examples/guides/repo_level_policy_service_account_abuse.tf" }}

## User Segmentation policy

Limit which rows a set of users can read from your database:

{{ tffile "examples/guides/repo_level_policy_user_segmentation.tf" }}

0 comments on commit e65258f

Please sign in to comment.