How To: Author a policy and control access to your Vault

Prerequisites:

  • You must be a Vault Owner for a given vault to create a role, attach policies to it and access the governance and settings tabs from the Vault Dashboard
  • We will be using the Customer Identity Vault template for this example. If you have not instantiated this template and created a vault, please go ahead and do so in the sandbox workspace.
  • If you would like to validate the policy being enforced through the UI, you must have access to another user account that has no access to the Customer Identity Vault.

This sample recipe will help you understand the basic concepts of managing access to your vault using a step-by-step guide. In this recipe, we will be creating a Customer Support Agent Role and granting it restricted access to the customer identity vault.

Step 1: Create a Custom Role
  • Go to the Settings tab
  • Navigate to the right vault context from the drop down list on the left.
  • Under IAM, select Roles and then ‘Add New Role’.
  • Enter the role name - ‘Customer Support Agent’ and a description and then click ‘Create’.
  • You have now created a custom role.
Step 2: Create and attach policies to a custom role

Now that you have created a custom role, let’s attach some policies to it.

Policies grant your custom role permissions to access data contained in the vault. You can author policies for any role from the Governance tab as well.

Step 2.1: Create a column level policy
  • Click on ‘Attach Policies’ and the give your policy the name - ‘PII Redaction for Identifiers’
  • Copy and paste the following rules into the policy editor modal window:

    ALLOW READ ON identifiers.passport_number, identifiers.skyflow_id WITH REDACTION = PLAIN_TEXT
    
    ALLOW READ ON identifiers.drivers_license, identifiers.itin WITH REDACTION = REDACTED
    
    ALLOW READ ON identifiers.ssn WITH REDACTION = MASKED
  • These rules allow to read only the skyflow_id and passport number in plain text, every other column in the identifiers table is either redacted or masked
  • Make sure that there are no errors and then click ‘Create’. This action creates and attaches the policy to the custom role you just created.
  • After the policy has been created change the state from Pending to Active by clicking the Enable button.
  • If you would like to learn more about policy authoring tips check out this section.
Step 2.2 : Create a Row level Policy
  • Click on ‘Attach Policies’ again and the give your new policy the name - ‘Nationality based row level security’
  • Copy and paste the following rule into the policy editor modal window:

    ALLOW READ ON persons.phone_numbers.*, persons.nationality WITH REDACTION = PLAIN_TEXT WHERE persons.nationality = 'COLOMBIAN'
  • This rule grants access to view phone numbers in plain text only for those rows in the persons table where the nationality column has the value = ‘COLOMBIAN’.
  • Make sure that there are no errors and then click ‘Create’. This action creates and attaches the policy to the Customer Support Agent role you just created.
  • After the policy has been created change the state from Pending to Active by clicking the Enable button.
Step 3: Assign role to a user
  • Under ‘User Role Assignment’ , search for the user you want to assign the Customer Support Agent role to and then click ‘Save’. This user should have no existing Roles on the customer identity vault.
Step 4: Create a Service Account and assign role to it
  • Under IAM, go to Service Accounts
  • Click on ‘New Service Account’ and give it the name: ‘Customer Support Web App’
  • Now, in the ‘Roles’ field, select ‘Customer Support Agent’
  • Click ‘Create’
  • You have now created an API Service Account that has been assigned the role - ‘Customer Support Agent’
Step 5: Validate Policy Enforcement
  • Open a new incognito browser window
  • Login to skyflow using the user account to whom the Customer Support role was assigned to.
  • From the Vault Dashboard, navigate to the customer identity vault in the sandbox workspace and then click on ‘Browse’
  • Validate that only data in the identifiers table is visible to her.
  • Validate that in the identifiers table only the passportnumber and the skyflowid columns are visible to her. Rest of the column data should be redacted per the policy defined for the customer support agent role.
  • Validate enforcement of the row level nationality policy by clicking on the persons table. Navigate to the SQL filter option in the top navigation bar. Run the following SQL query:

    select phone_numbers.* , nationality from persons
  • You should be seeing data from phone numbers and nationality columns only for those rows where the person’s nationality has the value ‘COLOMBIAN’.