Policy Engine
Satori’s secure data access platform enables organizations to create policies that enforce data access to data stores. The policy engine is the module that provides this functionality, which uses information about the user, the request itself (query or API call) and the actual data returned from the data store to determine how access should be handled.
How does the policy engine work?
The policy engine executes rules that are defined in the datastore setting view. Rules are executed by priority, from the lowest to the highest value. A rule contains a boolean condition and an action. When the boolean condition evaluates to True, the action is taken.
Actions
Actions determine how Satori should process data access. Satori supports the following actions:
- Allow - instructs the policy engine to stop processing the next rules and allow the data access.
- Alert - instructs the policy engine to continue processing the next rules but to generate an incident in the management console for this data access.
- Mask - instructs the policy engine to apply a transformation on the data before it’s returned to the client. For more information about masking see Universal Masking.
- Block - instructs the policy engine to stop processing the next rules and block the data access, returning an error message to the data consumer.
- Terminate (coming soon) - instructs the policy engine to stop processing the next rules and terminate the connection to the data store.
Tags
Conditions are composed of tags that represent the existence of various aspects of the data access. For example, the tag identity.principal.name::john@example.com
will be available when john@example.com
is connecting to the data store. Satori separates tags into two categories, data tags and identity tags. Data tags provide information about properties of the data, for example, if a particular type of PII data type appears in the data. Identity tags provide information about properties of the user, for example, if the user is assigned with a particular role.
Satori provides a large number of built-in tags and customers can also define their own tags by using Satori-provided matchers. For a list of all available tags, please refer to the tag reference.
Conditions
Conditions are a conjunction of the tags they contain. For a condition to evaluate to True, all tags must exist. The negation of a tag is supported by using the NOT keyword before the tag itself. See the Rule Language section for more information.
Rule Language
Rules are defined in YAML and maintained in the Data Access Policies section of the data store settings view in the management console. The general format is:
rules:
- name: "Rule display name"
priority: <0..n>
action: <allow|alert|block>
data_tags:
- [NOT] <data_tag>
...
- [NOT] <data_tag>
identity_tags:
- [NOT] <identity_tag>
...
- [NOT] <identity_tag>
- name: "Rule display name"
...
Custom Tags
Customers can create their own tags in the Tags section of the data store settings view in the management console. These tags are built using Matchers, which are re-usable modules that Satori provides.
Tag Language
tags:
- display_name: "Tag display name"
tag: <tag string to use in rule>
matcher_id: <matcher to use for this tag>
matcher_data:
...
...
- display_name: "Tag display name"
...
Examples
Allow all traffic
rules:
- name: "Allow all"
priority: 0
action: allow
Block all traffic
rules:
- name: "Block all"
priority: 0
action: block
Alert on access to email addresses
rules:
- name: "Alert on access to email addresses"
action: alert
data_tags:
- c12n.pii::email
priority: 0
Block access to passwords except for administrators in Snowflake
rules:
- name: "Only admins can access passwords"
action: block
data_tags:
- c12n.operational::password
identity_tags:
- "NOT identity.datastore.role::accountadmin"
priority: 0
Only allow the finance team access certain database objects
rules:
- name: "Financial data access"
action: block
identity_tags:
- "NOT identity.idp.group::Finance"
data_tags:
- financial_data
priority: 0
tags:
- display_name: "Finance Tables"
tag: financial_data
matcher_id: table_name
matcher_data:
match:
# All tables named deals in every schema or database
- deals
# All tables named quotes in the public schema of every database
- public.quotes
# The assets table in the restricted schema in the finance database
- finance.restricted.assets