Table: guardrails_active_grant - Query Guardrails Active Grants using SQL
Guardrails is a security management service that enables organizations to implement and enforce consistent security policies across their environment. It provides a unified view of security posture, with the ability to monitor and manage security configurations, compliance status, and incident response. Active Grants within Guardrails represent the permissions and access levels currently granted to users or entities.
Table Usage Guide
The guardrails_active_grant table provides insights into the current permissions and access levels within Guardrails. As a security administrator, you can explore grant-specific details through this table, including the grantee, the grantor, the permission level, and the time the grant was made. Use it to monitor and manage access levels, ensuring that only the appropriate permissions are granted and maintained.
Important Notes
- The
guardrails_active_granttable will only return active grants. Use theguardrails_granttable to get a list of all grants.
Examples
Basic info
Explore which active grants are in place by examining the status, associated email and profile ID. This allows you to assess the various levels of access and resources granted, providing a comprehensive overview of permissions within your organization.
select grant_id, identity_status, identity_email, identity_profile_id, identity_trunk_title, level_title, resource_trunk_titlefrom guardrails_active_grant;select grant_id, identity_status, identity_email, identity_profile_id, identity_trunk_title, level_title, resource_trunk_titlefrom guardrails_active_grant;List active grants for an identity
Determine the active grants associated with a specific user's email. This is useful for understanding and managing the access rights and privileges of individual users within a system.
select grant_id, identity_status, identity_email, identity_trunk_title, level_title, resource_trunk_titlefrom guardrails_active_grantwhere identity_email = 'abc@gmail.com';select grant_id, identity_status, identity_email, identity_trunk_title, level_title, resource_trunk_titlefrom guardrails_active_grantwhere identity_email = 'abc@gmail.com';List active grants for inactive identities
Explore which active grants are associated with inactive identities to assess potential security risks and manage access control. This would be particularly useful in maintaining organizational security by ensuring that inactive identities do not have unnecessary access privileges.
select grant_id, identity_status, identity_email, level_title, resource_trunk_titlefrom guardrails_active_grantwhere identity_status = 'Inactive';select grant_id, identity_status, identity_email, level_title, resource_trunk_titlefrom guardrails_active_grantwhere identity_status = 'Inactive';List inactive grants
Identify the grants that are currently inactive. This could be useful for auditing purposes or to clean up unused or unnecessary access permissions.
select grant_id, identity_email, level_title, level_trunk_title, level_uri, resource_trunk_title, resource_type_trunk_titlefrom guardrails_grantwhere grant_id not in ( select grant_id from guardrails_active_grant );select grant_id, identity_email, level_title, level_trunk_title, level_uri, resource_trunk_title, resource_type_trunk_titlefrom guardrails_grantwhere grant_id not in ( select grant_id from guardrails_active_grant );Schema for guardrails_active_grant
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| create_timestamp | timestamp with time zone | The create time of the grant. | |
| filter | text | = | Filter used for this grant list. |
| grant_id | bigint | = | Unique identifier of the grant. |
| identity_akas | jsonb | AKA (also known as) identifiers for the identity | |
| identity_display_name | text | Display name of the identity. | |
| identity_email | text | Email identity for the identity. | |
| identity_family_name | text | Family name of the identity. | |
| identity_given_name | text | Given name of the identity. | |
| identity_last_login_timestamp | timestamp with time zone | Last login timestamp. | |
| identity_profile_id | text | Profile id of the identity. | |
| identity_status | text | Status of the identity. | |
| identity_trunk_title | text | Full title (including ancestor trunk) of the grant identity. | |
| level_title | text | The title of the level. | |
| level_trunk_title | text | Full title (including ancestor trunk) of the level. | |
| level_uri | text | The URI of the level. | |
| resource_id | bigint | Unique identifier of the resource. | |
| resource_trunk_title | text | Full title (including ancestor trunk) of the resource. | |
| resource_type_trunk_title | text | Full title (including ancestor trunk) of the grant type. | |
| resource_type_uri | text | URI of the resource type. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| timestamp | timestamp with time zone | Timestamp when the grant was last modified (created, updated or deleted). | |
| update_timestamp | timestamp with time zone | When the grant was last updated in Turbot. | |
| version_id | bigint | Unique identifier for this version of the identity. | |
| workspace | text | Specifies the workspace URL. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrailsYou can pass the configuration to the command with the --config argument:
steampipe_export_guardrails --config '<your_config>' guardrails_active_grant