Introducing Data Access Policy as Code With Satori Terraform Provider

We, at Satori, recognize that managing data access configurations with existing data engineering tools is a manual and repetitive task which consumes a significant amount of time and resources from busy data teams. So, over the past year, and as part of our mission to help companies streamline data security and operations, we have added many capabilities to the Satori DataSecOps platform that help enterprises simplify data access and security. Today, we are taking Satori’s DataSecOps platform one step further and introducing a new way to automate repetitive data engineering tasks by utilizing declarative data access and security templates powered by Terraform. We are pleased to introduce you to the Satori Terraform Provider.

 

What Is Satori Terraform?

The Satori Terraform Provider is an open-source implementation of the Satori API (which you can find on GitHub) that allows data engineers to implement users’ data entitlements in a declarative way so that data access and security can be automated, replicated, reverted, and integrated into existing data infrastructure deployment processes.

 

You can access the official Satori Terraform Provider documentation here.

 

What Can the Satori Terraform Provider Be Used For?

 

Provision Datasets

In Satori, access controls and security policies are managed per a dataset object. A dataset represents any combination of tables, schemas, DBs, and even entire data stores that share some common context and can be structured by a business domain, department, data source, data type, or specific projects. Each dataset is assigned to a data steward who has the permissions to manage user access and security controls. With Satori Terraform, you can leverage dataset templates, so, when a new dataset should be provisioned, the data engineer can simply reuse an existing template and declare a new dataset within minutes, easily assigning relevant data stewards and default access policies. 

 

In the example below, we are adding a dataset for Project X which includes a schema from our Sales DB and the project_x table from the projects schema in the marketing DB, we also assign Dave as the data steward for Project X. Here’s what the Terraform code looks like: 

 

data "satori_user" "data_steward" {

     email = "dave@acme.com" 

} 


resource "satori_dataset" "project_x" {      

  definition {

    name = "Project X" 

      description = "All data for Project X" 

      owners = [data.satori_user.data_steward.id] 

      include_location { 

        datastore = "5E6F6G7H"    

        relational_location { 

          db = "sales" 

          schema = "schema_x"

        }

      } 

      include_location { 

        datastore = "8I9J10K1"    

        relational_location { 

          db = "marketing" 

          schema = "projects"

          table = "project_x"

        }

      }

  } 

  access_control_settings { 

    enable_access_control = true

  }

  custom_policy {

  }

}

 

And this is what the generated configuration looks like in the Satori UI:

 

Set Access and Security Policies

Next, you can set security policies such as row-level security and data masking as global definitions. With the Satori Terraform Provider, you can declare which security policies should be applied to each user and group. You can do so as soon as a dataset is created so that it comes with all of the required security policies and access controls embedded into it, and your data users can instantly begin accessing the data while security and compliance are assured from the start.

 

You can also set user and group entitlements to datasets. Below you can see what a simple data access control definition for Project X looks like. In this case, we’ll provide read-only access to Michael and to the US Analytics Okta group. We also set an automatic revocation policy for 30 days to keep least privilege access to data.

 

resource "satori_access_rule" "project_x_access_controls" { 

  parent_data_policy = satori_dataset.project_x.data_policy_id 

  access_level = "READ_ONLY" 

  identity { 

    type = "USER" 

    name = "MICHAEL" 

  } 

  identity { 

    type = "IDP_GROUP" 

    name = "US Analysts" 

  } 

  expire_on = "2021-09-05T24:00:00Z"

//PII masking policy 

  security_policies = [ "A3K5OlR6" ] 

}       

 

 

And this is what it looks like in the Satori UI:

Version Control

Since all Terraform definition files are stored in your source control system, you can always track back changes to dataset and policy definitions down to the individual table and user. Without this capability, think of the effort required to understand when a specific user was granted access to a specific table and by whom.

Destroying a Data Project (and All Access to It)

Lastly, what do you typically do when a dataset is no longer needed? Do you have a healthy data lifecycle practice where all unnecessary data entitlements and permission are removed at the project’s end? With the Satori Terraform Provider you can simply destroy all dataset configurations and affiliated data access entitlements with a simple command: 

 

terraform destroy -target project_x

How to Get Started?

Getting started is simple.

First, you will need a Satori account. If you don’t have one yet, contact us at contact@satoricyber.com or schedule a demo to request a Satori trial.

Second, install the Satori Terraform Provider.

Third, set a satori_dataset and a satori access_rule object and configure your path for automated data security and access control.