Skip to content

User Directory

The User Directory enables Satori administrators to define user groups in Satori based on existing users, identity provider groups and data store groups.

Screenshot

Groups are used to set policies or analyze data access. Satori groups are useful for organizations that do not use an identity provider, or in cases where the association of users to groups in the identity provider does not match how data is accessed.

Using Groups

For example; If an organization has created a dataset for a project and is accessed by the following employees types:

  • A team of software engineers are assigned to an Okta group called ProjectXEngineers
  • A python script that uses the username project_x_billing_job
  • Several analysts using a BI tool that uses the username project_x_bi

Policy Enforcement

To enforce the same policy on all these users and to be able to easily produce a report on the data access of these users, create a Satori group named Project X and add the following members:

  • Okta group ProjectXEngineers
  • project_x_bi and project_x_billing_job usernames

Group Hierarchy

To enable organizations to create a hierarchy model for groups, Satori groups can be added as members of other Satori groups, under the following constraints;

  1. Group Hierarchy - A maximum of 10 levels.
  2. Avoid Creating Loops - A group cannot be added as a member of itself, indirectly (creating a loop).

Creating Satori Groups

To create a Satori group go to the User Directory view, click the "Add" button and then provide a name for the group. A group can contain the following members:

  • Usernames - any user that is used to access a data store
  • Identity Provider Groups - Okta, AzureAD or others
  • Snowflake roles
  • Other Satori groups

Define Policies using Satori Groups

Organizations can enforce policies on Satori groups the same way policies are enforced on users or identity provider groups. This is performed by using the identity.directory.group tag. For example, the following policy will alert you on access to PII data by members of the Project X team:

- name: "Project X PII"
  action: alert
  identity_tags:
    - identity.directory.group::e36cde67-6048-4ab3-b6f5-22b0aa311f80
  data_tags:
    - c12n.pii
  priority: 1