Access Policies

Access policies provide users with either permanent permissions on resources or the ability to request permissions on a resource. Administrators manage both who is able to request and endorse which policies and resources.

  • Grants - permanent or time based permissions granted to a user or Mamori role.
  • On-demand policies - Request and endorse a policy that grants permissions on a custom set of resources.
  • On-demand resource policies - Request and endorse access to a particular resource.

Additionally databases have data access and data privacy policies

Grants

Click on the desired resource type main menu item

  • SSH Logins
  • Remote Desktops
  • HTTP Resources
  • Roles
  • Secrets
  • WireGuard > IP Resources

Find the resource and click on Manage User Grants or Manage Role Grants row menu item

Click on advanced options to set time based grants

Click on the grantee to toggle the grant

On-demand policies

Create

To create an Access On-Demand policy follow the steps below

Prerequisites

Required Permissions

To make or approve requests a user must have the REQUEST privilege, either directly or via a role. Additionally, To request a particular policy a user must have the request role specified in the policy.

Click Policies

Click Access On Demand

Click Add

Next, enter the details

SectionFieldDescription
Policy Namename user will request
DescriptionDescription of grant policy will provide
TypePolicy - For custom set of resources
Resource - Invoked by requestable resource grants
Request
RoleRole required to request the policy
Alert (optional)Alert channel for new quests
Endorsement
Role(s)Roles required to endorse the policy
Level CountNumber of endorsements required per role
Allow self endorsementDefaults to false
Allows endorser to endorse their own request
Default MessageDefault approval message to provider user
Approval Alert (optional)Alert channel for approved policies
Deny Alert (optional)Alert channel for a denials
Execute
Alert (optional)Alert channel for executed policies
Execute on approvaldefaults to false. When true the grant expiration starts on approval. When false it starts when the applicant executes the policy.
Script
Parameters (optional)Custom request parameters to collect from the applicant
StatementsEnter One or more Grant Statements. Script Statement Syntax

Click Create


Request

Click Access Requests > Request a Policy

Find the policy and click Request

Enter the policy paramters and click Request


Endorse

Click Access Requests > Endorse Request

Find the policy request and click Endorse

Enter a comment and confirm


Script Syntax

Mamori On Demand policy script syntax is an easy to use SQL-like syntax. Statements can have parameters and clauses that specify when the grant is valid.

A policy script can have many statements and one statement can :

  • Grant a role, privilege, or object permission
  • Grant access to an ssh login
  • Grant access to use an encryption key
  • Grant reveal masked data for specified database objects
  • Grant access to an IP resource
  • Insert, Update and delete table data
  • Run Insert as Select across databases

Parameters

The syntax uses :customvalue for statement parameters.

Validity

GRANT and GRANT REVEAL statements can include VALID date and time.

ClauseDescription
VALID BETWEEN :date1 AND :date2valid between two dates
VALID FROM :date1valid from a date
VALID UNTIL :date1valid from a date
VALID FOR :amount [seconds, minutes, or hours]valid from a specified unit of time

Enter dates in format YYYY-MM-DD

A permanent grant is one without a VALID clause.

Grant a privilege

policy script statements
GRANT REQUEST TO :applicant VALID FOR :time minutes;

Grant a Role, Policy, IP resource

policy script statements
GRANT myrole TO :applicant VALID BETWEEN :date1 AND :date2;
GRANT mypolicy TO :applicant VALID BETWEEN :date1 AND :date2;
GRANT myipresource TO :applicant VALID BETWEEN :date1 AND :date2;

Grant Encryption Key Usage

policy script statements
GRANT KEY USAGE on :encryptionkey TO :applicant VALID FROM :date1;

Grant Data Reveal

policy script statements
GRANT REVEAL * ON "datasource"."database"."schema"."table" TO :applicant valid for :time minutes;

Grant SSH Login

policy script statements
GRANT SSH mysshlogin TO :applicant VALID FOR :time hours;

Grant on DB Object

policy script statements
GRANT SELECT on "datasource"."database"."schema"."table" TO :applicant;
GRANT UPDATE on "datasource"."database"."schema"."table" TO :applicant;
GRANT INSERT on "datasource"."database"."schema"."table" TO :applicant;
GRANT DELETE on "datasource"."database"."schema"."table" TO :applicant;

GRANT CREATE TABLE on "datasource"."database"."schema" TO :applicant;
GRANT DROP TABLE on "datasource"."database"."schema" TO :applicant;

GRANT is overruled if there is a DENY already on the object.


On-demand resource policies

Manage

Click on the desired resource type main menu item

  • Datasources
  • SSH Logins
  • Remote Desktops
  • HTTP Resources
  • Roles
  • Secrets
  • WireGuard > IP Resources

Find the resource and click on the Manage Request Grants row menu item

Request

Click Access Requests > Request a Resource

Click on the resource type

Find the resource and click on Request Access row menu item

Enter the policy fields and confirm

Endorse

Click Access Requests > Endorse Request

Find the policy request and click Endorse

Enter a comment and confirm


Data Permission Policies



Database permission policies allow granular segmentation of the permissions that an existing database credential has. You can craft policies that restrict SQL operations and access without needing to create additional database credentials in the database.

For example, a user can be assigned access via a DBA credential with a permission policy that only allows select. When the user access the database from any tool only select statements will be allowed. All other statements will be blocked.
A database permission policy can never grant a permission that a credential doesn't have.

Details

Triggered : Right before a database command is sent for execution

Best for : Blocking unauthorized database commands, object access or limit rows returned.


Data access permission policies allow control over what statements will be sent for execution in the database. Additionally incoming SQL is potentially re-written based on the configured row and column security.

Common Configuration

Data Permission Policy configuration

Managing

To manage data access policies

  • Edit a user or role
  • Click on Database & Data Access > Object Privileges

This displays the current permissions for the grantee

To remove a permission

Find the permission and click on the Revoke row menu item

To add a permission

  • Expand the Add new grant panel
  • Fill in the grant details
SectionFieldDescription
Permission TypeGrant or deny
Permission ScopeThe level the permission applies to
Datasource, Database, Schema, Object
PermissionThe permision list for the selected level
Permission TypeGrant or deny
Permission TypeGrant or deny
Set Database ObjectThis section allows you to specify the specific database objects. Leaving it all blank means all datasources, all databases, all schemas and all objects.

The appropriate fields will display based on the permission scope
DatasourceEnter blank, * or a specific item
DatabaseEnter blank, * or a specific item
SchemaEnter blank, * or a specific item
ObjectEnter blank, * or a specific item
Set Grant ExpiryThis section allows you to specify the validity clause
Always Valid
Valid From
Valid Between
Time Limited
Valid From & BetweenEnted date in the format YYYY-MM-DD HH:MM
Time limitedEnter amount and select unit
Set Row RestrictionApplies a limit or where condition
Only displays if SELECT, DELETE, UPDATE permissions are selected
Apply or override a limit on rowsToggle true/false
if true enter a limit amount
If false check override
Restrict Rows with a where clauseToggle true false
enter a valid SQL where condition pre-fixing column names with $.
 NOT (($.OWNER like 'SYS%'))

Click Add


Data Privacy Policies


Details

Triggered : Right before a database command is sent for execution

Best for : Column security and data masking.



Data privacy policies allow you to hide or mask column based on a users permission.

Managing Available functions

The mamori server contains a default set of masking functions that can be used for javascript and the main RDBMS SQL types.

Click Policies > Masking Functions

Edit, Add or delete functions in the grid.


Managing Privacy Policies

Any rules add to the default policy will be applied to all queries. Other policies will only be applied if granted to a user or role

For SQL

Click Policies > SQL Data Policies

Click

Enter the fields

FieldDescription
NameReference for the policy
DescriptionPolicy Description
PriorityIn the event a user has conflicting rules for the same column, then the lower numbered policy will apply

Click Create

Click Masking Rule

  • Select the columns
  • Select the masking rule to apply
  • Click OK



For NoSQL

Click Policies > NoSQL Data Policies

Click Mongo DB Filter

Enter the fields

FieldDescription
Filter NameReference for the policy
Datasource/CollectionCollection this applies to

Click Create

Click Transformations

Enter the fields

FieldDescription
RoleRole this will applied to
Field/Attributesjson path selector
JS functionSelect the function to apply
ArgumentsAddition parameters passed into the function

Click OK

Edit this page on GitHub Updated at Fri, May 19, 2023