Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rollback operations supported by datasetprotection policy #501

Merged
merged 3 commits into from
Jan 31, 2024
Merged

Rollback operations supported by datasetprotection policy #501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f4fe121
Rollback operations supported by datasetprotection policy
gabfelp Jan 26, 2024
721eb8a
Remove dataset-protection reference
gabfelp Jan 31, 2024
7f863d9
Actually delete the file
gabfelp Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 0 additions & 36 deletions docs/guides/repo_level_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,42 +110,6 @@ resource "cyral_rego_policy_instance" "policy" {
}
```

## Example: dataset protection

-> **Note** The Dataset Protection policy template is only enabled by default in control planes
`v4.13` and later. If you have a previous version, please reach out to our customer success
team to enable it.

Restrict access to specific tables or schemas in the data repositories:

```terraform
# Creates pg data repository
resource "cyral_repository" "pg1" {
type = "postgresql"
name = "pg-1"

repo_node {
host = "pg.cyral.com"
port = 5432
}
}

# Creates a policy instance from template to raise a 'high' alert
# and block updates and reads on schema 'finance' and dataset
# 'cyral.customers'
resource "cyral_rego_policy_instance" "policy" {
name = "dataset-protection"
category = "SECURITY"
description = "Raise a 'high' alert and block updates and reads on schema 'finance' and dataset 'cyral.customers'"
template_id = "dataset-protection"
parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}"
enabled = true
scope {
repo_ids = [cyral_repository.pg1.id]
}
}
```

## Example: rate limit

Set up a threshold on sensitive data reads over time:
Expand Down
20 changes: 0 additions & 20 deletions docs/resources/rego_policy_instance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,22 +151,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
- `includedDbAccounts` (Array) Database accounts cannot see restricted records.

### Dataset Protection (dataset-protection)

- `block` (Boolean) Policy action to enforce.
- `monitorReads` (Boolean) Monitor read operations.
- `monitorUpdates` (Boolean) Monitor update operations.
- `monitorDeletes` (Boolean) Monitor delete operations.
- `monitorInserts` (Boolean) Monitor insert operations.
- `monitorAlters` (Boolean) Monitor alters operations.
- `monitorDrops` (Boolean) Monitor drops operations.
- `monitorDumps` (Boolean) Monitor dump operations.
- `tags` (Array) Tags.
- `datasets` (Object) Datasets associated to the policy. See [datasets](#objects--datasets).
- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.

<a id="parameter-objects"></a>

### Objects
Expand All @@ -180,10 +164,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `dbAccounts` (Object) Database Accounts. See properties below:
- `included` (Array) Included Database Accounts.
- `excluded` (Array) Excluded Database Accounts.
<a id="objects--datasets"></a>
- `datasets` (Object) Datasets. See properties below:
- `allowed` (Array) Datasets allowed by the policy. Accepts wildcards such as `cyral.*`
- `disallowed` (Array) Datasets disallowed by the policy. Accepts wildcards such as `cyral.*`
<a id="objects--identityList"></a>
- `identityList` (Object) Identity List. See properties below:
- `userNames` (Array) Identity Emails.
Expand Down
25 changes: 0 additions & 25 deletions examples/guides/repo_level_policies/dataset_protection.tf
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions templates/guides/repo_level_policy.md.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,6 @@ Protect against unauthorized updates:

{{ tffile "examples/guides/repo_level_policies/data_protection.tf" }}

## Example: dataset protection

-> **Note** The Dataset Protection policy template is only enabled by default in control planes
`v4.13` and later. If you have a previous version, please reach out to our customer success
team to enable it.

Restrict access to specific tables or schemas in the data repositories:

{{ tffile "examples/guides/repo_level_policies/dataset_protection.tf" }}

## Example: rate limit

Set up a threshold on sensitive data reads over time:
Expand Down
20 changes: 0 additions & 20 deletions templates/resources/rego_policy_instance.md.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,22 +94,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
- `includedDbAccounts` (Array) Database accounts cannot see restricted records.

### Dataset Protection (dataset-protection)

- `block` (Boolean) Policy action to enforce.
- `monitorReads` (Boolean) Monitor read operations.
- `monitorUpdates` (Boolean) Monitor update operations.
- `monitorDeletes` (Boolean) Monitor delete operations.
- `monitorInserts` (Boolean) Monitor insert operations.
- `monitorAlters` (Boolean) Monitor alters operations.
- `monitorDrops` (Boolean) Monitor drops operations.
- `monitorDumps` (Boolean) Monitor dump operations.
- `tags` (Array) Tags.
- `datasets` (Object) Datasets associated to the policy. See [datasets](#objects--datasets).
- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.

<a id="parameter-objects"></a>
### Objects
<a id="objects--identities"></a>
Expand All @@ -120,10 +104,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
- `dbAccounts` (Object) Database Accounts. See properties below:
- `included` (Array) Included Database Accounts.
- `excluded` (Array) Excluded Database Accounts.
<a id="objects--datasets"></a>
- `datasets` (Object) Datasets. See properties below:
- `allowed` (Array) Datasets allowed by the policy. Accepts wildcards such as `cyral.*`
- `disallowed` (Array) Datasets disallowed by the policy. Accepts wildcards such as `cyral.*`
<a id="objects--identityList"></a>
- `identityList` (Object) Identity List. See properties below:
- `userNames` (Array) Identity Emails.
Expand Down
Loading