search

Set up data governance

This guide will help you write custom policies and create custom roles to achieve fine-grained data access control. By the end of this guide, you’ll have used Skyflow Studio to create roles and policies that control which users and service accounts have permission to access your vault and what amount of data they have access to.

Prerequisites

For this guide, you’ll need

    A Skyflow account. If you don’t have an account, sign up for free.To create a vault in the sandbox workspace using the CustomerIdentity vault template
      You’ll also need the Vault Owner role for this vault. (Only Vault Owners can create roles, attach policies, and access the Governance and Settings tabs from the Vault Dashboard.)
    Access to another user account with no access to the CustomerIdentity vault. This is a requirement if you'd like to validate enforcement of the policy.

In this guide, we'll be creating a Customer Support Agent role and granting it restricted access to the CustomerIdentity vault.

Step 1: Create a custom role

    From the Vault Dashboard, click the Settings tab. Then under IAM on the left, click Roles > Add New Role. Enter the role name as “Customer Support Agent”, add a description, and click Create.

You have created a custom role! Next, you’ll add policies to it.

Step 2: Create & attach policies to a custom role

Policies grant your custom role permissions to access data contained in the vault.

infoYou can also author policies for any role from the Governance tab.

Step 2.1: Create a column-level policy

    Click Attach Policies and name it “PII Redaction for Identifiers”.

    Copy and paste the following rules into the policy editor modal window.

      These rules allow only the skyflow_id and passport_number columns to be read in plain text—every other column in the identifiers table is either redacted or masked.
    ALLOW READ ON identifiers.passport_number, identifiers.skyflow_id WITH REDACTION = PLAIN_TEXT
    
    ALLOW READ ON identifiers.drivers_license, identifiers.itin WITH REDACTION = REDACTED
    
    ALLOW READ ON identifiers.ssn WITH REDACTION = MASKED

    Make sure there are no errors, then click Create. The policy is now created and attached to the Customer Support Agent role you created.

    Click Enable to change the state from “pending” to “active.”

Step 2.2: Create a row-level policy

    Click Attach Policies and name it “Nationality-based row-level security”.

    Copy and paste the following rule into the policy editor modal window.

      This rule allows phone numbers in the persons table to be read in plain text only for rows where the nationality column = ‘COLOMBIAN’.
    ALLOW READ ON persons.phone_numbers.*, persons.nationality WITH REDACTION = PLAIN_TEXT WHERE persons.nationality = 'COLOMBIAN'

    Make sure there are no errors, then click Create. The policy is now created and attached to the Customer Support Agent role you created.

    Click Enable to change the state from “pending” to “active.”

Step 3: Assign a role to a user

Under User Role Assignment, search for and select the user you want to assign the Customer Support Agent role to, then click Save.

infoThis user should have no existing roles on the CustomerIdentity vault.

Step 4: Create a service account & assign a role

Service accounts allow you to send and receive requests from third parties.

    Under IAM, click Service Accounts.Then click New Service Account and name it "Customer Support Web App".In the Roles field, select Customer Support Agent. Then click Create.

You’ve created an API service account with the Customer Support Agent role! The final step (which is optional) is to validate that the policy is actually being enforced.

Step 5: Validate policy enforcement

    Open a new incognito browser window.

    Log in to the Skyflow user account that is assigned the Customer Support role.

    From the Vault Dashboard, navigate to the CustomerIdentity vault in the sandbox workspace and click Browse.

    Validate that all data is redacted according to the Customer Support Agent role policy and that only the passport_number and the skyflow_id columns are visible.

    Validate enforcement of the row-level nationality policy by clicking on the persons table. Navigate to the SQL filter option in the top navigation bar. Run the following SQL query:

    select phone_numbers.* , nationality from persons

    You should be seeing data from phone numbers and nationality columns only for those rows where the person’s nationality has the value ‘COLOMBIAN’.

Troubleshooting

    Make sure there are no errors before saving the policy. If your policy doesn't save in the editor, it’s most likely due to a syntax error. Make sure there are no errors before saving the policy.Row-level policies for nested columns currently aren't supported.

Tips

    When writing policy rules, press Ctrl + Space to view auto-suggestions.Press Tab to navigate to the next variable.

Next steps

In this article