Table: guardrails_grant - Query Guardrails Grants using SQL
Guardrails Grant is a feature in Guardrails that allows users to manage and control the permissions and rules within a system. It provides a way to set up and manage grants for various resources, including users, roles, and groups. Guardrails Grant helps you stay informed about the permissions and rules of your resources and take appropriate actions when predefined conditions are met.
Table Usage Guide
The guardrails_grant table provides insights into the grants within Guardrails. As a System Administrator, explore grant-specific details through this table, including grantee, grantor, and guardrail details. Utilize it to uncover information about grants, such as those with specific permissions, the relationships between grants, and the verification of guardrail rules.
Examples
Basic info
Explore the status and details of various identities and their associated profiles and levels to better understand the configuration and organization of your guardrails grant. This can help in managing access controls and permissions effectively.
select id, identity_status, identity_email, identity_profile_id, identity_trunk_title, level_title, resource_trunk_titlefrom guardrails_grant;select id, identity_status, identity_email, identity_profile_id, identity_trunk_title, level_title, resource_trunk_titlefrom guardrails_grant;List grants for an identity
Explore the level of access granted to a specific user. This is useful for auditing purposes, ensuring that each user has the appropriate level of system permissions.
select id, identity_email, identity_family_name, level_title, level_trunk_title,from guardrails_grantwhere identity_email = 'xyz@gmail.com';select id, identity_email, identity_family_name, level_title, level_trunk_titlefrom guardrails_grantwhere identity_email = 'xyz@gmail.com';List SuperUser grants
Discover the segments that have been granted SuperUser access. This helps in maintaining security by identifying who has high-level permissions and where these permissions are applied.
select id, identity_email, identity_family_name, level_title, resource_trunk_titlefrom guardrails_grantwhere level_uri = 'tmod:@turbot/turbot-iam#/permission/levels/superuser';select id, identity_email, identity_family_name, level_title, resource_trunk_titlefrom guardrails_grantwhere level_uri = 'tmod:@turbot/turbot-iam#/permission/levels/superuser';List grants for inactive identities
Discover the segments that have been granted access to inactive identities. This is useful to ensure that no unnecessary permissions are given to inactive users, thereby enhancing security measures.
select id, identity_email, identity_status, resource_trunk_titlefrom guardrails_grantwhere identity_status = 'Inactive';select id, identity_email, identity_status, resource_trunk_titlefrom guardrails_grantwhere identity_status = 'Inactive';Schema for guardrails_grant
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| create_timestamp | timestamp with time zone | The create time of the grant. | |
| filter | text | = | Filter used for this grant list. |
| id | bigint | = | Unique identifier of the grant. |
| identity_akas | jsonb | AKA (also known as) identifiers for the identity | |
| identity_display_name | text | Display name of the identity. | |
| identity_email | text | Email identity for the identity. | |
| identity_family_name | text | Family name of the identity. | |
| identity_given_name | text | Given name of the identity. | |
| identity_last_login_timestamp | timestamp with time zone | Last login timestamp. | |
| identity_profile_id | text | Profile id of the identity. | |
| identity_status | text | Status of the identity. | |
| identity_trunk_title | text | Full title (including ancestor trunk) of the grant identity. | |
| level_title | text | The title of the level. | |
| level_trunk_title | text | Full title (including ancestor trunk) of the level. | |
| level_uri | text | The URI of the level. | |
| resource_id | bigint | Unique identifier of the resource. | |
| resource_trunk_title | text | Full title (including ancestor trunk) of the resource. | |
| resource_type_trunk_title | text | Full title (including ancestor trunk) of the grant type. | |
| resource_type_uri | text | URI of the resource type. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| timestamp | timestamp with time zone | Timestamp when the grant was last modified (created, updated or deleted). | |
| update_timestamp | timestamp with time zone | When the grant was last updated in Turbot. | |
| version_id | bigint | Unique identifier for this version of the identity. | |
| workspace | text | Specifies the workspace URL. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrailsYou can pass the configuration to the command with the --config argument:
steampipe_export_guardrails --config '<your_config>' guardrails_grant