turbot/guardrails
steampipe plugin install guardrails

Table: guardrails_grant - Query Guardrails Grants using SQL

Guardrails Grant is a feature in Guardrails that allows users to manage and control the permissions and rules within a system. It provides a way to set up and manage grants for various resources, including users, roles, and groups. Guardrails Grant helps you stay informed about the permissions and rules of your resources and take appropriate actions when predefined conditions are met.

Table Usage Guide

The guardrails_grant table provides insights into the grants within Guardrails. As a System Administrator, explore grant-specific details through this table, including grantee, grantor, and guardrail details. Utilize it to uncover information about grants, such as those with specific permissions, the relationships between grants, and the verification of guardrail rules.

Examples

Basic info

Explore the status and details of various identities and their associated profiles and levels to better understand the configuration and organization of your guardrails grant. This can help in managing access controls and permissions effectively.

select
id,
identity_status,
identity_email,
identity_profile_id,
identity_trunk_title,
level_title,
resource_trunk_title
from
guardrails_grant;
select
id,
identity_status,
identity_email,
identity_profile_id,
identity_trunk_title,
level_title,
resource_trunk_title
from
guardrails_grant;

List grants for an identity

Explore the level of access granted to a specific user. This is useful for auditing purposes, ensuring that each user has the appropriate level of system permissions.

select
id,
identity_email,
identity_family_name,
level_title,
level_trunk_title,
from
guardrails_grant
where
identity_email = 'xyz@gmail.com';
select
id,
identity_email,
identity_family_name,
level_title,
level_trunk_title
from
guardrails_grant
where
identity_email = 'xyz@gmail.com';

List SuperUser grants

Discover the segments that have been granted SuperUser access. This helps in maintaining security by identifying who has high-level permissions and where these permissions are applied.

select
id,
identity_email,
identity_family_name,
level_title,
resource_trunk_title
from
guardrails_grant
where
level_uri = 'tmod:@turbot/turbot-iam#/permission/levels/superuser';
select
id,
identity_email,
identity_family_name,
level_title,
resource_trunk_title
from
guardrails_grant
where
level_uri = 'tmod:@turbot/turbot-iam#/permission/levels/superuser';

List grants for inactive identities

Discover the segments that have been granted access to inactive identities. This is useful to ensure that no unnecessary permissions are given to inactive users, thereby enhancing security measures.

select
id,
identity_email,
identity_status,
resource_trunk_title
from
guardrails_grant
where
identity_status = 'Inactive';
select
id,
identity_email,
identity_status,
resource_trunk_title
from
guardrails_grant
where
identity_status = 'Inactive';

Schema for guardrails_grant

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
create_timestamptimestamp with time zoneThe create time of the grant.
filtertext=Filter used for this grant list.
idbigint=Unique identifier of the grant.
identity_akasjsonbAKA (also known as) identifiers for the identity
identity_display_nametextDisplay name of the identity.
identity_emailtextEmail identity for the identity.
identity_family_nametextFamily name of the identity.
identity_given_nametextGiven name of the identity.
identity_last_login_timestamptimestamp with time zoneLast login timestamp.
identity_profile_idtextProfile id of the identity.
identity_statustextStatus of the identity.
identity_trunk_titletextFull title (including ancestor trunk) of the grant identity.
level_titletextThe title of the level.
level_trunk_titletextFull title (including ancestor trunk) of the level.
level_uritextThe URI of the level.
resource_idbigintUnique identifier of the resource.
resource_trunk_titletextFull title (including ancestor trunk) of the resource.
resource_type_trunk_titletextFull title (including ancestor trunk) of the grant type.
resource_type_uritextURI of the resource type.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
timestamptimestamp with time zoneTimestamp when the grant was last modified (created, updated or deleted).
update_timestamptimestamp with time zoneWhen the grant was last updated in Turbot.
version_idbigintUnique identifier for this version of the identity.
workspacetextSpecifies the workspace URL.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrails

You can pass the configuration to the command with the --config argument:

steampipe_export_guardrails --config '<your_config>' guardrails_grant