Skip to content

Baseline Security Policy

The baseline security policy defines coarse-grained security controls for proxy-based data stores.

The following section describes the available settings that Satori administrators can use when configuring the baseline security policy.

Screenshot

To configure a data stores baseline security policy perform the following steps:

  1. Go to the Data Stores view
  2. Select the data store that you wish to configure
  3. Click on the Baseline Security Policy tab
  4. Configure your baseline security policy according to the guidelines explained below

Queries not Associated with a Dataset

When the Satori DAC intercepts a query, it analyzes the query to determine which data store locations (for example, tables or views) it uses. The DAC then looks up all of the datasets for those locations. If the DAC did not find any dataset, the query is considered as not associated with a dataset.

Use the following settings to control how Satori handles queries that are not associated with a dataset. The available options are as follows:

  • Allow - Satori passes the query for execution in the data store.
  • Redact Sensitive Data - Satori passes the query for execution in the data store, and attempts to redact any sensitive data it finds in the result set.
  • Block - Satori blocks the query from executing in the data store.

The following table defines when to use each of the options:

Option Considerations
Block (recommended) When onboarding users to query data via Satori, some queries may be blocked if not all datasets have been configured yet.
Redact Sensitive Data When onboarding users to query data via Satori, some queries may return redacted data if not all of the datasets have been configured.
Allow This option is not recommended as it may lead to users accessing restricted data. Use this option only when deploying Satori in audit-only mode.

Note: The baseline security policy redaction is a best-effort control and should not be used as the only security mechanism to protect sensitive data.

Unsupported Queries

When the Satori DAC intercepts a query, it analyzes it to determine which security policy to enforce. If Satori encounters an error or is otherwise unable to enforce the required security policies, the query is considered unsupported.

Use these settings to control how Satori handles unsupported queries. The available options are as follows:

  • Allow - Satori passes the query for execution in the data store.
  • Redact Sensitive Data - Satori passes the query for execution in the data store and attempts to redact any sensitive data its find in the result set.
  • Block - Satori blocks the query from being executed in the data store or prevents the query results from being returned to the user.

The following table summarizes when to use each option:

Option Considerations
Block (recommended) Users may get blocked when running queries that use advanced data store features.
Redact Sensitive Data Users may get redacted data when running unsupported queries.
Allow This option is not recommended as it may lead to users accessing restricted data. Only use this option when deploying Satori in audit-only mode.

Note: The baseline security policy redaction is a best-effort control and should not be used as the only security mechanism to protect sensitive data.

Common Types Unsupported Queries

There are several classes of issues that may lead to a query being considered as unsupported.

Query Parsing Error

In the event that Satori encounters an error while reading the SQL query. The SQL query may be malformed, it may have a typo or contain elements that the SQL parser is not familiar with.

The following query has a typo and will not be parsed correctly by Satori:

SELECT * FRO customers;

Query Analysis Error

In the event that Satori encounters an error while analyzing the meaning of the SQL query. The SQL may contain unqualified object IDs that Satori failed to qualify, or it may use a function Satori is not familiar with and cannot determine how it will be executed on the data store.

The following query uses a user-defined function:

SELECT * FROM my_udf();

The following query uses a parameter instead of the table name:

SET some_table='table1';
SELECT * FROM IDENTIFIER($some_table);

Result Set Error

In the event that Satori encounters an error while reading or modifying the content of the result set. The result set may use a data type that Satori is unfamiliar with, or a masking function failed to transform the data of the result set.

Exceptions

When you need to exclude a user or a query from the baseline security policy, you can add the user to the Exempt Users from the Baseline Security Policy list or the query pattern in regex format to the Exempt Queries from the Baseline Security Policy list.

Monitoring Query Issues

Satori continuously monitors issues in query analysis and addresses them proactively. To monitor query issues use the Queries not Associated With a Dataset report and Unsupported Queries report.