diff --git a/docker-compose.yaml b/docker-compose.yaml
index 019f5ebc..fbdeed5c 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -2,7 +2,7 @@ version: "3"
services:
app:
- image: golang:1.19
+ image: golang:1.21
container_name: terraform_provider_cyral
volumes:
- .:/go/src/terraform-provider-cyral
diff --git a/docs/guides/repo_level_policy.md b/docs/guides/repo_level_policy.md
new file mode 100644
index 00000000..373e3602
--- /dev/null
+++ b/docs/guides/repo_level_policy.md
@@ -0,0 +1,293 @@
+---
+page_title: "Setup repo-level policy"
+---
+
+Cyral offers several pre-built [repo-level policy types](https://cyral.com/docs/policy/repo-level/).
+In this guide, we provide different examples on how to use them.
+
+Recommended further reading:
+
+- Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public
+ docs for a complete documentation about the Cyral policy framework.
+- Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance)
+ resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
+ and how to use the pre-built repo-level policies in Terraform.
+
+## Data Firewall policy
+
+Limit which rows users can read from a table:
+
+```terraform
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "data-firewall-policy"
+ category = "SECURITY"
+ description = "Filter 'finance.cards' when someone (except 'Admin' group) reads it"
+ template_id = "data-firewall"
+ parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
+```
+
+## Data Masking policy
+
+Mask fields for specific users:
+
+```terraform
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "data-masking-policy"
+ category = "SECURITY"
+ description = "Masks label CCN for identities in Marketing group"
+ template_id = "data-masking"
+ parameters = "{ \"maskType\": \"NULL_MASK\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
+```
+
+## Data Protection policy
+
+Protect against unauthorized updates:
+
+```terraform
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "data-protection-policy"
+ category = "SECURITY"
+ description = "Protect label CCN for update and delete queries"
+ template_id = "data-protection"
+ parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"labels\": [\"CCN\"]}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
+```
+
+## Dataset Protection policy
+
+-> **Note** The Dataset Protection policy template is only enabled by default in control planes
+`v4.13` and later. If you have a previous version, please reach out to our customer success
+team to enable it.
+
+Restrict access to specific tables or schemas in the data repositories:
+
+```terraform
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "dataset-protection"
+ category = "SECURITY"
+ description = "Blocks reads and updates over schema 'finance' and dataset 'cyral.customers'."
+ template_id = "dataset-protection"
+ parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
+```
+
+## Rate Limit policy
+
+Set up a threshold on sensitive data reads over time:
+
+```terraform
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "rate-limit-policy"
+ category = "SECURITY"
+ description = "Implement a threshold on label CCN for group Marketing of 500 rows per hour"
+ template_id = "rate-limit"
+ parameters = "{ \"rateLimit\": 500, \"block\": true, \"alertSeverity\": \"high\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
+```
+
+## Read Limit policy
+
+Prevent certain records from being read beyond a specified limit:
+
+```terraform
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "read-limit-policy"
+ category = "SECURITY"
+ description = "Limits to 100 the amount of rows that can be read per query on all repository data for group 'Devs'"
+ template_id = "read-limit"
+ parameters = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"appliesToAllData\": true, \"identities\": { \"included\": { \"groups\": [\"Devs\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
+```
+
+## Repository Protection policy
+
+Alert when more than a specified number of records are updated or deleted:
+
+```terraform
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "repository-protection-policy"
+ category = "SECURITY"
+ description = "Limits to 100 the amount of rows that can be updated or deleted per query on all repository data for anyone except group 'Admin'"
+ template_id = "repository-protection"
+ parameters = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"identities\": { \"excluded\": { \"groups\": [\"Admin\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
+```
+
+## Service Account Abuse policy
+
+Ensure service accounts can only be used by intended applications:
+
+```terraform
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "service account abuse policy"
+ category = "SECURITY"
+ description = "Always require user attribution for service acount 'john'"
+ template_id = "service-account-abuse"
+ parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"serviceAccounts\": [\"john\"]}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
+```
+
+## User Segmentation policy
+
+Limit which rows a set of users can read from your database:
+
+```terraform
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "user-segmentation-policy"
+ category = "SECURITY"
+ description = "Applies a data filter in 'finance.cards' when someone from group 'Marketing' reads data labeled as 'CCN'"
+ template_id = "user-segmentation"
+ parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
+```
diff --git a/docs/resources/rego_policy_instance.md b/docs/resources/rego_policy_instance.md
index 6d14d2e7..2629fab2 100644
--- a/docs/resources/rego_policy_instance.md
+++ b/docs/resources/rego_policy_instance.md
@@ -151,6 +151,22 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
- `includedDbAccounts` (Array) Database accounts cannot see restricted records.
+### Dataset Protection (dataset-protection)
+
+- `block` (Boolean) Policy action to enforce.
+- `monitorReads` (Boolean) Monitor read operations.
+- `monitorUpdates` (Boolean) Monitor update operations.
+- `monitorDeletes` (Boolean) Monitor delete operations.
+- `monitorInserts` (Boolean) Monitor insert operations.
+- `monitorAlters` (Boolean) Monitor alters operations.
+- `monitorDrops` (Boolean) Monitor drops operations.
+- `monitorDumps` (Boolean) Monitor dump operations.
+- `tags` (Array) Tags.
+- `datasets` (Object) Datasets associated to the policy. See [datasets](#objects--datasets).
+- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
### Objects
@@ -164,6 +180,10 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `dbAccounts` (Object) Database Accounts. See properties below:
- `included` (Array) Included Database Accounts.
- `excluded` (Array) Excluded Database Accounts.
+
+- `datasets` (Object) Datasets. See properties below:
+ - `allowed` (Array) Datasets allowed by the policy. Accepts wildcards such as `cyral.*`
+ - `disallowed` (Array) Datasets disallowed by the policy. Accepts wildcards such as `cyral.*`
- `identityList` (Object) Identity List. See properties below:
- `userNames` (Array) Identity Emails.
diff --git a/examples/guides/repo_level_policy_data_firewall.tf b/examples/guides/repo_level_policy_data_firewall.tf
new file mode 100644
index 00000000..480456bb
--- /dev/null
+++ b/examples/guides/repo_level_policy_data_firewall.tf
@@ -0,0 +1,24 @@
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "data-firewall-policy"
+ category = "SECURITY"
+ description = "Filter 'finance.cards' when someone (except 'Admin' group) reads it"
+ template_id = "data-firewall"
+ parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
diff --git a/examples/guides/repo_level_policy_data_masking.tf b/examples/guides/repo_level_policy_data_masking.tf
new file mode 100644
index 00000000..7f77b037
--- /dev/null
+++ b/examples/guides/repo_level_policy_data_masking.tf
@@ -0,0 +1,24 @@
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "data-masking-policy"
+ category = "SECURITY"
+ description = "Masks label CCN for identities in Marketing group"
+ template_id = "data-masking"
+ parameters = "{ \"maskType\": \"NULL_MASK\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
diff --git a/examples/guides/repo_level_policy_data_protection.tf b/examples/guides/repo_level_policy_data_protection.tf
new file mode 100644
index 00000000..19e1ed90
--- /dev/null
+++ b/examples/guides/repo_level_policy_data_protection.tf
@@ -0,0 +1,24 @@
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "data-protection-policy"
+ category = "SECURITY"
+ description = "Protect label CCN for update and delete queries"
+ template_id = "data-protection"
+ parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"labels\": [\"CCN\"]}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
diff --git a/examples/guides/repo_level_policy_dataset_protection.tf b/examples/guides/repo_level_policy_dataset_protection.tf
new file mode 100644
index 00000000..cf4e0b3b
--- /dev/null
+++ b/examples/guides/repo_level_policy_dataset_protection.tf
@@ -0,0 +1,23 @@
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "dataset-protection"
+ category = "SECURITY"
+ description = "Blocks reads and updates over schema 'finance' and dataset 'cyral.customers'."
+ template_id = "dataset-protection"
+ parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
diff --git a/examples/guides/repo_level_policy_rate_limit.tf b/examples/guides/repo_level_policy_rate_limit.tf
new file mode 100644
index 00000000..a4f9b429
--- /dev/null
+++ b/examples/guides/repo_level_policy_rate_limit.tf
@@ -0,0 +1,24 @@
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "rate-limit-policy"
+ category = "SECURITY"
+ description = "Implement a threshold on label CCN for group Marketing of 500 rows per hour"
+ template_id = "rate-limit"
+ parameters = "{ \"rateLimit\": 500, \"block\": true, \"alertSeverity\": \"high\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
diff --git a/examples/guides/repo_level_policy_read_limit.tf b/examples/guides/repo_level_policy_read_limit.tf
new file mode 100644
index 00000000..0d201100
--- /dev/null
+++ b/examples/guides/repo_level_policy_read_limit.tf
@@ -0,0 +1,23 @@
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "read-limit-policy"
+ category = "SECURITY"
+ description = "Limits to 100 the amount of rows that can be read per query on all repository data for group 'Devs'"
+ template_id = "read-limit"
+ parameters = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"appliesToAllData\": true, \"identities\": { \"included\": { \"groups\": [\"Devs\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
diff --git a/examples/guides/repo_level_policy_repository_protection.tf b/examples/guides/repo_level_policy_repository_protection.tf
new file mode 100644
index 00000000..b9a288a1
--- /dev/null
+++ b/examples/guides/repo_level_policy_repository_protection.tf
@@ -0,0 +1,23 @@
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "repository-protection-policy"
+ category = "SECURITY"
+ description = "Limits to 100 the amount of rows that can be updated or deleted per query on all repository data for anyone except group 'Admin'"
+ template_id = "repository-protection"
+ parameters = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"identities\": { \"excluded\": { \"groups\": [\"Admin\"] } }}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
diff --git a/examples/guides/repo_level_policy_service_account_abuse.tf b/examples/guides/repo_level_policy_service_account_abuse.tf
new file mode 100644
index 00000000..b5b59d7a
--- /dev/null
+++ b/examples/guides/repo_level_policy_service_account_abuse.tf
@@ -0,0 +1,23 @@
+# Creates pg data repository
+resource "cyral_repository" "repo" {
+ type = "postgresql"
+ name = "my_pg"
+
+ repo_node {
+ host = "pg.cyral.com"
+ port = 5432
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "service account abuse policy"
+ category = "SECURITY"
+ description = "Always require user attribution for service acount 'john'"
+ template_id = "service-account-abuse"
+ parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"serviceAccounts\": [\"john\"]}"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+}
diff --git a/examples/guides/repo_level_policy_user_segmentation.tf b/examples/guides/repo_level_policy_user_segmentation.tf
new file mode 100644
index 00000000..f43e71da
--- /dev/null
+++ b/examples/guides/repo_level_policy_user_segmentation.tf
@@ -0,0 +1,24 @@
+# Creates MySQL data repository
+resource "cyral_repository" "repo" {
+ type = "mysql"
+ name = "my_mysql"
+
+ repo_node {
+ host = "mysql.cyral.com"
+ port = 3306
+ }
+}
+
+# create policy instance from template
+resource "cyral_rego_policy_instance" "policy" {
+ name = "user-segmentation-policy"
+ category = "SECURITY"
+ description = "Applies a data filter in 'finance.cards' when someone from group 'Marketing' reads data labeled as 'CCN'"
+ template_id = "user-segmentation"
+ parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
+ enabled = true
+ scope {
+ repo_ids = [cyral_repository.repo.id]
+ }
+ tags = ["tag1", "tag2"]
+}
diff --git a/templates/guides/repo_level_policy.md.tmpl b/templates/guides/repo_level_policy.md.tmpl
new file mode 100644
index 00000000..196966f1
--- /dev/null
+++ b/templates/guides/repo_level_policy.md.tmpl
@@ -0,0 +1,72 @@
+---
+page_title: "Setup repo-level policy"
+---
+
+Cyral offers several pre-built [repo-level policy types](https://cyral.com/docs/policy/repo-level/).
+In this guide, we provide different examples on how to use them.
+
+Recommended further reading:
+
+* Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public
+docs for a complete documentation about the Cyral policy framework.
+* Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance)
+resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
+and how to use the pre-built repo-level policies in Terraform.
+
+## Data Firewall policy
+
+Limit which rows users can read from a table:
+
+{{ tffile "examples/guides/repo_level_policy_data_firewall.tf" }}
+
+## Data Masking policy
+
+Mask fields for specific users:
+
+{{ tffile "examples/guides/repo_level_policy_data_masking.tf" }}
+
+## Data Protection policy
+
+Protect against unauthorized updates:
+
+{{ tffile "examples/guides/repo_level_policy_data_protection.tf" }}
+
+## Dataset Protection policy
+
+-> **Note** The Dataset Protection policy template is only enabled by default in control planes
+`v4.13` and later. If you have a previous version, please reach out to our customer success
+team to enable it.
+
+Restrict access to specific tables or schemas in the data repositories:
+
+{{ tffile "examples/guides/repo_level_policy_dataset_protection.tf" }}
+
+## Rate Limit policy
+
+Set up a threshold on sensitive data reads over time:
+
+{{ tffile "examples/guides/repo_level_policy_rate_limit.tf" }}
+
+## Read Limit policy
+
+Prevent certain records from being read beyond a specified limit:
+
+{{ tffile "examples/guides/repo_level_policy_read_limit.tf" }}
+
+## Repository Protection policy
+
+Alert when more than a specified number of records are updated or deleted:
+
+{{ tffile "examples/guides/repo_level_policy_repository_protection.tf" }}
+
+## Service Account Abuse policy
+
+Ensure service accounts can only be used by intended applications:
+
+{{ tffile "examples/guides/repo_level_policy_service_account_abuse.tf" }}
+
+## User Segmentation policy
+
+Limit which rows a set of users can read from your database:
+
+{{ tffile "examples/guides/repo_level_policy_user_segmentation.tf" }}
diff --git a/templates/resources/rego_policy_instance.md.tmpl b/templates/resources/rego_policy_instance.md.tmpl
index b6a6beb2..383aa493 100644
--- a/templates/resources/rego_policy_instance.md.tmpl
+++ b/templates/resources/rego_policy_instance.md.tmpl
@@ -94,6 +94,22 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
- `includedDbAccounts` (Array) Database accounts cannot see restricted records.
+### Dataset Protection (dataset-protection)
+
+- `block` (Boolean) Policy action to enforce.
+- `monitorReads` (Boolean) Monitor read operations.
+- `monitorUpdates` (Boolean) Monitor update operations.
+- `monitorDeletes` (Boolean) Monitor delete operations.
+- `monitorInserts` (Boolean) Monitor insert operations.
+- `monitorAlters` (Boolean) Monitor alters operations.
+- `monitorDrops` (Boolean) Monitor drops operations.
+- `monitorDumps` (Boolean) Monitor dump operations.
+- `tags` (Array) Tags.
+- `datasets` (Object) Datasets associated to the policy. See [datasets](#objects--datasets).
+- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
+- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
+- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
### Objects
@@ -104,6 +120,10 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `dbAccounts` (Object) Database Accounts. See properties below:
- `included` (Array) Included Database Accounts.
- `excluded` (Array) Excluded Database Accounts.
+
+- `datasets` (Object) Datasets. See properties below:
+ - `allowed` (Array) Datasets allowed by the policy. Accepts wildcards such as `cyral.*`
+ - `disallowed` (Array) Datasets disallowed by the policy. Accepts wildcards such as `cyral.*`
- `identityList` (Object) Identity List. See properties below:
- `userNames` (Array) Identity Emails.