Get started with Skyflow
This guide is an introduction to using Skyflow Studio and Skyflow's Management and Data APIs. Following this guide, you'll use Skyflow's Quickstart vault and data governance engine to securely share and govern access to vault data for different types of users. You'll also insert, read, tokenize, and detokenize data in your vault.
Explore a vault
This guide uses the Quickstart vault template. This vault is a training tool to help people learn how to use Skyflow. Every account contains one or more workspaces, and workspaces contain vaults.
Every Skyflow trial account comes with a Quickstart vault. Navigate to your Quickstart vault or create a new one:
- Sign in to Skyflow Studio.Click Create Vault > Start With A Template.Under Quickstart, click Create.
The Quickstart vault has a predefined schema with two tables (credit_cards and persons) and fake rows of data.
The role and policies assigned to your user account determine your amount of access to the data. Even though you're the owner of the vault, most fields are redacted or partially redacted by default. A column's definition in the vault schema and your user account's policies determine whether data is full or partially redacted when you access it.
Column settings fall into four categories:
- General: Things like the column name, uniqueness, regular expression validation, and transient field status.Redaction: How to obscure data to prevent unauthorized access to sensitive data.Encrypted operations: Operations allowed to perform over fully encrypted data through polymorphic encryption. All data within a vault is encrypted at rest and during transit.Tokenization: The kind of non-sensitive token to substitute for sensitive data in the column.
To view the card_number column's settings,
- In the credit_cards table, click the card_number column's down arrow.Choose View column.
When you're done investigating the column settings, close the column editor dialog.
Perform an encrypted operation
One of the ways you can retrieve records from the vault is through SQL queries. Through polymorphic encryption, your query operations run against fully encrypted data and return results without ever decrypting any of the data.
To perform an SQL query,
- Navigate to the persons table.Click SQL Filter.Below the green comments in the text area, type the following SQL statement:
The encrypted operation runs against your vault, and the results display in the table.
Share limited access to a vault
Within any product or organization, different users and services have different requirements for seeing and interacting with sensitive customer data. Skyflow takes a zero-trust approach to this, where no user or service has access to any data unless explicitly granted. With Skyflow's data governance engine, you can create simple policies that control what a user can see and how they see it.
To control a user's access to vault data, you create a role, create access policies, attach the policies to the role, then assign the role to the user. The following examples show to a marketing role and a customer support role might have different policies and access to the same data.
Create a marketing role
The marketing role flags read access to specific fields at different levels of visibility.
- From the vault schema page, click the gear icon next to your vault name and choose Edit Settings.Under IAM, click Roles, then click Add New Role.For Name, enter "Marketing Role".For Description, enter a value. For example, "Limited vault access".Click Create.Click Attach Policies, and replace the placeholder content with the following policies:
The first line grants plaintext read access to the name, email, and state for each person record in the persons table. The second line grants read access to the data of birth of a person but as a masked value. The final line grants read access to the fully redacted SSN.Click Create, enter "Marketing Policy" for the policy name, then click Save.Click Enable, then close the window.
Create a customer support role
While the marketing role and policy have limited access to the vault, the customer support role and policies are even more restrictive.
- Back in your first browser window, navigate to the vault schema page.Click the gear icon next to your vault name and choose Edit Settings.Under IAM, click Roles, then click Add New Role.For Name, enter "Customer Support Role".For Description, enter a value. For example, "Restrictive vault access".Click Create.Click Attach Policies, and replace the placeholder content with the following policies:
The first line grants plaintext read access to the name and state for each person record in the persons table. The second line grants read access to the SSN of a person but as a masked value. The final line grants read access to the fully redacted date of birth and email.Click Create, enter "Customer Support Policy" for the policy name, then click Save.Click Enable, then close the window.
Share the vault
To see these policies in action, add a user with the Marketing role and add a user with the Customer Support role, then sign into those accounts in Incognito browser windows.
- Under IAM, click Users, then click Share Vault.Invite an email address to add to your vault. You might add "+marketing" to your email username depending on your email provider, like in "email@example.com".For Roles, select Marketing Role, then click Add.Click Share Vault.Invite an email address to add to your vault. Depending on your email provider, you might add "+customer-support" to your email username, like in "firstname.lastname@example.org".For Roles, select Customer Support Role, then click Add.
View the marketing policies in action
Open an incognito browser window.
Sign in to Skyflow Studio using your account sign-in URL and the marketing email address you just added to your vault.
Click Browse on the Quickstart vault.
Skyflow restricts the view of the data based on the Marketing policy you created and assigned to this user.
When you're done browsing the vault as this user, close the incognito window.
View the customer support policies in action
Open another incognito browser window.
Sign in to Skyflow Studio using your account sign-in URL and the customer support email address you just added to your vault.
Click Browse on the Quickstart vault.
Skyflow restricts the view of the data based on the Customer Support policy you created and assigned to this user.
Keep this window open.
Edit the policy
With Skyflow's governance engine, you control how much data a user or service can access in a vault. You can update the rules at any time as business requirements change, and changes go into effect without any code deployments or implementation changes.
- Back in your first window, click Roles.Find the Customer Support Role row, then click View.Find the Customer Support Policy row, then click Edit.Move "persons.date_of_birth" from the "REDACTED" policy into the "MASKED" policy. Your policies should look like the following:
Add a row restriction
You can restrict view access to records based on record data. For example, you can restrict the customer support role to only be able to view customer records in one state by adding a row restriction.
- Back in your first window, click Roles.Find the Customer Support Role row, then click View.Find the Customer Support Policy row, then click Edit.Add a row restriction policy with "WHERE" statements so customer support agents can view only persons in the state of Arizona:
The first line grants plaintext read access to the name and state but only for people in the state of Arizona.The second line grants read access to the SSN and date of birth as a masked value but only for people in Arizona. The final line grants read access to the email as a fully redacted value but only for people in Arizona.Click Save.
In your incognito window, refresh the vault schema page. The vault data now only shows records matching the state of Arizona.
Manipulate vault data
A data privacy vault needs data, and you can perform a full suite of CRUD (Create, Read, Update, Delete) operations on the records in your vault. See the full list of data operations in the Data API.
Performing data operations with the Data API requires the table name and Skyflow ID of the record you want to operate on:
- In the vault schema page, right-click anywhere in the records area, then choose Insert Record.Enter field values, then click Save.
- In the vault schema page, find the record and column you want to update.Right-click the record row, then choose Update Record.Update the fields with new values, then click Save.
- In the vault schema page, find the record and column you want to update.Right-click the record row, then choose Delete Record.Click Yes, delete.
Continue exploring what Skyflow can do with governance and tokenization, try integrating with server-side and client-side SDKs, and see how Skyflow Connections can help you securely pass data between Skyflow and other vendors you partner with.