Security Policies
The Satori Security Policy is a re-usable object that can be configured to contain multiple sets of dynamic masking configurations and data filtering configurations.
Satori's security policy engine is designed to protect an organization's data by authorizing specific individuals or groups of individuals to view data. The main objective of a security policy is to protect an organization's business interests.
A Security Policy can be applied to one or more datasets.
The Satori security policy mechanism achieves this by implementing dynamic masking and data filtering on specific tables, columns, rows and fields within a dataset. Satori's security policies can be applied to one or more datasets.
The Satori security policy provides two configurable mechanisms for protecting an organization's data:
-
Dynamic Masking - The dynamic masking mechanism of the security policy is used to obfuscate sensitive or confidential data such as credit card information, social security numbers, names, addresses and phone numbers from unintended exposure and to reduce the risk of data breaches.
-
Data Filtering - The data filter is designed to restrict the records returned from queries based on the authorization context of the user. The Satori data filtering mechanism automatically rewrites the queries based on the filter and mapping configuration that are configured in the policy.
Dynamic Masking and Data Filtering Made Easy
A Satori security policy can be created in just a few minutes. The policy can then be implemented and reused on a single dataset or multiple datasets.
Security Policies are displayed as tiles, each security policy tile displays which datasets are implementing the security policy as well as the number of active users and the amount of queries over the past 7 days.
Creating a Security Policy
To create a security policy you need to have either administrator or editor permissions. Ensure that you have added the relevant users and groups to the "User Directory". Make sure that you have prepared the required masking profiles in the "Masking Profiles" view.
The Main Configuration Tasks
-
Select the "Security Policies" view from the navigation menu in Satori.
-
Click on the plus button and name the new security policy.
-
Assign the security policy to the relevant dataset
-
Assign the (preconfigured) users and groups to the dataset.
-
Apply a "masking profile" to a dynamic masking rule of a security policy.
-
Configure the dynamic masking and the data filtering rules for the new security policy.
Assigning the Security Policy to a Dataset
Once you have created the security policy, it is now time to assign it to a dataset which you access from the "Datasets" view.
The are two configuration tasks required for assigning a security policy to a dataset, they are as follows:
1 - Configuring a User Access Rule
The first task is to add and configure a new "User Access Rule" for the dataset and then select an enforcement the rule for the new user or group. There three types of security policy enforcement:
A - Default Security Policies - represents the fallback security policy
B - The Following Security Policies - Enables you to add multiple security policies to a single dataset
C - No Security Policies - No security policy assigned to the dataset as the default policy
Assigning a security policy to a dataset is a simple task achieved by performing the following:
Step 1 - Click the "Datasets" view and then select the relevant dataset.
Step 2 - Click the "User Access Rules" tab and click the "Add" button and then complete the "Grant Access Rule" by selecting the relevant drop menu configuration options.
Step 3 - Ensure to select the relevant enforcement option which defines what type of policy enforcement you wish to apply to the dataset.
Step 4 - Make sure that the "Access to this dataset is controlled by Satori" toggle switch is "turned on".
Note: Satori automatically sets the dataset security policy to the "Default Security Policies" option.
2 - Assigning the Default Security Policy to a Dataset
Now that you have created and defined your dataset, Satori recommends that you assign it a default security policy.
To assign the "default" security policy click the "Security Policies" tab and select the default security policy from the drop menu.
3 - Enforcing a Security Policy on a User or a Group
Once you have assigned the default security policy to the data store return to the access rules tab and add a new access rule to your dataset. This is the default security policy that you assign to the dataset.
To assign the default security policy to a new user or group for the dataset perform the following tasks:
- Select the User Access Rule tab.
- Click the Add button.
- Select the relevant user or group from the available options.
- Select user or groups access level.
- Set the expiration date.
- Enter the revoke access timeframe.
- Enforce the "default security policy" option.
Setting Up Dynamic Masking
Satori provides you with the ability to perform real-time data masking of sensitive or regulated data. Dynamic masking changes the data stream so that the data requester does not get access to the sensitive data, while no physical changes to the original production data take place.
Step 1 Click the "Start" button
Step 2 Select the user and the relationship type from the available options
Step 3 Select or enter either an individual user or group
Step 4 Now select a predefined masking profile from the available list options.
NOTE: Select a pre-configured masking profile from the masking profile templates provided by Satori out-of-the-box, or create and configure a masking profile customized to your specific organizational requirements.
Satori masking profiles and Pre-configured masking templates are located in the "Masking Profiles" view of the application.
Setting Up Data Filtering
Satori filters data to users by implementing row-level access controls. When a data filtering policy is enforced, Satori intercepts the query before it is sent to the database and then rewrites the query and adds the necessary filters.
For example a CUSTOMERS table with a REGION column, where only the US team members can access the rows of the US region and only the EU team members can access the rows of the EU region.
When a US team member sends the following query:
SELECT * FROM CUSTOMERS
Satori then rewrites the query as follows:
SELECT * FROM CUSTOMERS WHERE REGION IN ('US')
Note: If you select the Advanced YAML Editor option you can not switch back to the "Standard Filter Builder" option. If you wish to use the standard filter builder after selecting the advanced filter builder the YAML snippet will be lost.
Learn More About the Data Filter Builder
To learn more about the data filter options go to the Data Filter Builder section.