Concepts
Group Access
6min
group access provides a way to control queries and ensure they will only return data that has been approved for a group member to access any query that attempts to access data types that are restricted will be rejected in addition to controlling access to data types, specific query operations can also be allowed or restricted all queries are routed through jumpwire's database proxy docid\ wu ifm7qypftttyq82t8j for enforcing the access controls jumpwire simplifies authentication by providing a magic link to the client, which is used to identify the user and gives the user a menu to select which database they would like to connect to after selecting the database, the user is connected to the database with default privileges based on the groups they are a member of initiating a database session jumpwire's proxy implements native database protocols, so creating a connection is as simple as using any client with a connection string assigned to the proxy instance hostname in this example, we are using psql to connect to a postgresql database, through the proxy instance at jump db yourdomain io psql h jump db yourdomain io notice protected by jumpwire authenticate by visiting https //app jumpwire io/authz/sfmynty g2gdaartaaaajgy2mdblody1lwq1mjctndg2yi05y2yxltg4ywewmda3zmjmzw0aaaakngmynwzjzjitode1yy00nwywlthhymqtm2fjytlhndhinmnhzaakcg9zdgdyzxnxbg0aaaakotblmzjmndatmwnioc00mzm5ltlmyjitm2q0ndiymzc1ztlibgya2ivo2igbygabuya 9qj7jtsurwl5gjuhtkagpn3web8nwf2n mmngm1deje when visiting the link, the user is presented with a list of databases they can select from database selection after clicking connect, the connection to the selected database is completed, and a psql query prompt is shown psql h jump db yourdomain io notice protected by jumpwire authenticate by visiting https //app jumpwire io/authz/sfmynty g2gdaartaaaajgy2mdblody1lwq1mjctndg2yi05y2yxltg4ywewmda3zmjmzw0aaaakngmynwzjzjitode1yy00nwywlthhymqtm2fjytlhndhinmnhzaakcg9zdgdyzxnxbg0aaaakotblmzjmndatmwnioc00mzm5ltlmyjitm2q0ndiymzc1ztlibgya2ivo2igbygabuya 9qj7jtsurwl5gjuhtkagpn3web8nwf2n mmngm1deje psql (13 10 (ubuntu 13 10 1 pgdg20 04+1), server 12 14 (ubuntu 12 14 1 pgdg20 04+1)) type "help" for help ryan=# getting started start with a deployment docid\ dkkknqdyv1bggrwo5ywqn of the jumpwire proxy the container can be run on any orchestration or cloud platform you can find more reference architecture examples in this repository it's important that the target database is reachable and addressable from the proxy next, configure a connection to the target database through the databases docid\ rx fnn4aau9eafcbjvsq page enter connection details and credentials, or load credentials from a secret store such as vault once the proxy connects to the target database, it will scan the schema and suggest labels for various data types, such as pii or secrets alternatively, define custom labels under the configuration page, and add labels to columns or tables setting group permissions after schemas have been labeled in the target database, permissions can be assigned to groups for distinct query operations for each label, a group can be granted the ability to select, insert, update, or delete data corresponding to that label for example, data categorized as "secret" may be able to be selected and inserted, but not updated or deleted or deletes can be restricted for all labeled data, effectively disabling the ability to delete any rows from a particular schema any data that is not labeled can be freely queried for select, insert, update or delete through the proxy without restrictions navigate to the group access page to set permissions for each group group sources while groups can be managed in jumpwire, this is not recommended instead groups can be synced from a directory or identity provider through sso or scim this alleviates the need to recreate group membership from a source of truth google groups google groups can be synced into jumpwire using google workspace sso a google workspace administrator can use the details under the "sso" tab on the jumpwire group access page to set up oauth a complete guide can be found at google workspace sso docid\ kppeyou00vvtfq1bu4gfj this enables a user's groups to be synced into the claims object that is used to authenticate the user through single sign on with google google workspace sso now when a user authenticates using google workspace, they will be added a members to their google groups this will occur when they authenticate after clicking on the magic link supplied as part of the database access flow, described above google sso login aws iam identity center coming soon azure active directory coming soon