turbot/guardrails
steampipe plugin install guardrails

Table: guardrails_active_grant - Query Guardrails Active Grants using SQL

Guardrails is a security management service that enables organizations to implement and enforce consistent security policies across their environment. It provides a unified view of security posture, with the ability to monitor and manage security configurations, compliance status, and incident response. Active Grants within Guardrails represent the permissions and access levels currently granted to users or entities.

Table Usage Guide

The guardrails_active_grant table provides insights into the current permissions and access levels within Guardrails. As a security administrator, you can explore grant-specific details through this table, including the grantee, the grantor, the permission level, and the time the grant was made. Use it to monitor and manage access levels, ensuring that only the appropriate permissions are granted and maintained.

Important Notes

  • The guardrails_active_grant table will only return active grants. Use the guardrails_grant table to get a list of all grants.

Examples

Basic info

Explore which active grants are in place by examining the status, associated email and profile ID. This allows you to assess the various levels of access and resources granted, providing a comprehensive overview of permissions within your organization.

select
grant_id,
identity_status,
identity_email,
identity_profile_id,
identity_trunk_title,
level_title,
resource_trunk_title
from
guardrails_active_grant;
select
grant_id,
identity_status,
identity_email,
identity_profile_id,
identity_trunk_title,
level_title,
resource_trunk_title
from
guardrails_active_grant;

List active grants for an identity

Determine the active grants associated with a specific user's email. This is useful for understanding and managing the access rights and privileges of individual users within a system.

select
grant_id,
identity_status,
identity_email,
identity_trunk_title,
level_title,
resource_trunk_title
from
guardrails_active_grant
where
identity_email = 'abc@gmail.com';
select
grant_id,
identity_status,
identity_email,
identity_trunk_title,
level_title,
resource_trunk_title
from
guardrails_active_grant
where
identity_email = 'abc@gmail.com';

List active grants for inactive identities

Explore which active grants are associated with inactive identities to assess potential security risks and manage access control. This would be particularly useful in maintaining organizational security by ensuring that inactive identities do not have unnecessary access privileges.

select
grant_id,
identity_status,
identity_email,
level_title,
resource_trunk_title
from
guardrails_active_grant
where
identity_status = 'Inactive';
select
grant_id,
identity_status,
identity_email,
level_title,
resource_trunk_title
from
guardrails_active_grant
where
identity_status = 'Inactive';

List inactive grants

Identify the grants that are currently inactive. This could be useful for auditing purposes or to clean up unused or unnecessary access permissions.

select
grant_id,
identity_email,
level_title,
level_trunk_title,
level_uri,
resource_trunk_title,
resource_type_trunk_title
from
guardrails_grant
where
grant_id not in (
select
grant_id
from
guardrails_active_grant
);
select
grant_id,
identity_email,
level_title,
level_trunk_title,
level_uri,
resource_trunk_title,
resource_type_trunk_title
from
guardrails_grant
where
grant_id not in (
select
grant_id
from
guardrails_active_grant
);

Schema for guardrails_active_grant

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
create_timestamptimestamp with time zoneThe create time of the grant.
filtertext=Filter used for this grant list.
grant_idbigint=Unique identifier of the grant.
identity_akasjsonbAKA (also known as) identifiers for the identity
identity_display_nametextDisplay name of the identity.
identity_emailtextEmail identity for the identity.
identity_family_nametextFamily name of the identity.
identity_given_nametextGiven name of the identity.
identity_last_login_timestamptimestamp with time zoneLast login timestamp.
identity_profile_idtextProfile id of the identity.
identity_statustextStatus of the identity.
identity_trunk_titletextFull title (including ancestor trunk) of the grant identity.
level_titletextThe title of the level.
level_trunk_titletextFull title (including ancestor trunk) of the level.
level_uritextThe URI of the level.
resource_idbigintUnique identifier of the resource.
resource_trunk_titletextFull title (including ancestor trunk) of the resource.
resource_type_trunk_titletextFull title (including ancestor trunk) of the grant type.
resource_type_uritextURI of the resource type.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
timestamptimestamp with time zoneTimestamp when the grant was last modified (created, updated or deleted).
update_timestamptimestamp with time zoneWhen the grant was last updated in Turbot.
version_idbigintUnique identifier for this version of the identity.
workspacetextSpecifies the workspace URL.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrails

You can pass the configuration to the command with the --config argument:

steampipe_export_guardrails --config '<your_config>' guardrails_active_grant