Group Access provides a way to control queries and ensure they will only return data that has been approved for a group member to access. Any query that attempts to access data types that are restricted will be rejected. In addition to controlling access to data types, specific query operations can also be allowed or restricted.
All queries are routed through JumpWire's Database Proxy for enforcing the access controls. JumpWire simplifies authentication by providing a magic link to the client, which is used to identify the user and gives the user a menu to select which database they would like to connect to. After selecting the database, the user is connected to the database with default privileges based on the groups they are a member of.
JumpWire's proxy implements native database protocols, so creating a connection is as simple as using any client with a connection string assigned to the proxy instance hostname.
In this example, we are using psql to connect to a PostgreSQL database, through the proxy instance at jump-db.yourdomain.io:
When visiting the link, the user is presented with a list of databases they can select from
After clicking connect, the connection to the selected database is completed, and a psql query prompt is shown:
Start with a Deployment of the JumpWire proxy - the container can be run on any orchestration or cloud platform. You can find more reference architecture examples in this repository. It's important that the target database is reachable and addressable from the proxy.
Next, configure a connection to the target database through the Databases page. Enter connection details and credentials, or load credentials from a secret store such as Vault.
Once the proxy connects to the target database, it will scan the schema and suggest labels for various data types, such as PII or secrets. Alternatively, define custom labels under the configuration page, and add labels to columns or tables.
After schemas have been labeled in the target database, permissions can be assigned to groups for distinct query operations. For each label, a group can be granted the ability to select, insert, update, or delete data corresponding to that label.
For example, data categorized as "secret" may be able to be selected and inserted, but not updated or deleted. Or deletes can be restricted for all labeled data, effectively disabling the ability to delete any rows from a particular schema.
Any data that is not labeled can be freely queried for select, insert, update or delete through the proxy without restrictions.
Navigate to the Group Access page to set permissions for each group.
While groups can be managed in JumpWire, this is not recommended. Instead groups can be synced from a directory or identity provider through SSO or SCIM. This alleviates the need to recreate group membership from a source of truth.
Google Groups can be synced into JumpWire using Google Workspace SSO. A Google Workspace administrator can use the details under the "SSO" tab on the JumpWire Group Access page to set up OAuth. A complete guide can be found at Google Workspace SSO. This enables a user's groups to be synced into the claims object that is used to authenticate the user through Single Sign-on with Google.
Now when a user authenticates using Google Workspace, they will be added a members to their Google Groups. This will occur when they authenticate after clicking on the magic link supplied as part of the database access flow, described above.
AWS IAM Identity Center
Azure Active Directory