With the growing emphasis on data security and accessibility, companies are seeking innovative solutions to streamline their data governance processes. One such solution is Satori, an Amazon Redshift Ready partner, that promises to enhance both the user experience and administrative tasks related to gaining and revoking access to data. Through its unique approach, Satori facilitates just-in-time and self-service access to data, ensuring a seamless and secure experience for both data consumers and administrators.
Satori simplifies the complexity of managing data access by providing a transparent layer that is deployed in front of the existing Redshift data warehouse. This layer offers visibility and control capabilities without requiring data consumers to change their way of working, such as by installing different database drivers or altering queries. The following sections break down how Satori achieves this, with specific attention to the processes from both the admin and user perspectives.
1. Admin Perspective: Create Access Request and Self-Service Rules
To initiate self-service access, the admin must first preconfigure the user access rules. These rules determine the level of access and its expiration, ensuring that only authorized users can access sensitive data.
Go to the Datasets Page and Select User Access Requests
Navigate to the Datasets page and choose User Access Requests. The first step for the admin is to navigate to the Datasets page in the Satori interface. Here, the admin can manage user access requests. Selecting “User Access Requests” allows the admin to proceed with configuring the access rules.
Choose Self-Service Rule in the Self-Service Access Section
In the Self-Service Access section, choose Self-Service Rule. The self-service access section of the Satori interface is where the admin can create self-service rules. Choosing the “Self-Service Rule” option enables setting up the necessary parameters for self-service data access.
Specify the Required Level of Access
Specify the required level of access. Admins have several options when specifying the level of access. These include setting the access level by user or group, defining expiration periods, and establishing revocation rules. For instance, a self-service user group might have read-only access for 30 days, with the access revoking after seven days of inactivity.
Once the access rules are configured, they appear in the list of self-service rules. This ensures that users have the appropriate level of access based on their credentials and the predefined rules set by the admin.
2. User Perspective: Create Access Request and Self-Service Rules
From the user’s perspective, gaining access to data is straightforward and automated, thanks to the preconfigured rules set by the admin. Users can access their personalized data portal to view available datasets and request access as needed.
Enter the Satori Personalized Data Portal
- Enter the Satori personalized data portal using the Data Portal option on the options menu (three vertical dots). Users can access the Satori personalized data portal from the options menu. This portal displays all available datasets, and users can quickly identify which datasets they already have self-service access to, listed under My Data.
View Available Datasets
- The data portal will display all available datasets. Any datasets that the user already has self-service access to will appear under My Data. All other datasets appear under Available Datasets. The portal categorizes datasets into those the user has access to and those that are available for request. This clear delineation makes it easy for users to see their current access and potential datasets they might need.
Request Immediate Access to Desired Dataset
- Choose the desired dataset (in this case, CustomerDataset) and request immediate access to this dataset by choosing Ask for Access to Dataset. To request immediate access to a specific dataset, users can simply select the desired dataset and choose the “Ask for Access to Dataset” option. This initiates the request process based on the preconfigured self-service rules.
Select Self Service for Access Request
- For Access Request, choose Self Service. Users need to specify that their request is for self-service access. Selecting “Self Service” ensures that the request follows the automated access rules set by the admin.
Enter a Reason for the Request
- For Request Message, enter a reason for the request. Users are required to provide a reason for their access request. This adds an additional layer of security and ensures that access is granted with proper justification.
Submit the Request
- Choose Request. After specifying the access type and providing a reason, users can submit their request. If the user’s identity matches the preconfigured rules, access is granted automatically, and the dataset appears under My Data with the status “Access Granted”.
3. User Perspective: Create Access Request and Just-in-Time Rules
Just-in-time access provides an additional layer of security, as it requires admin approval for each access request. This process is similarly streamlined but includes an extra step of approval from the admin.
Log in to the Satori Portal
User John Doe logs in to the Satori portal and finds the Available Datasets section in their data portal. Users log in to the Satori portal and view the available datasets. If the needed data is not already accessible, it can be requested.
Submit a Request for the Desired Dataset
The user submits a request for CustomerDataset. By selecting the desired dataset and submitting a request, users initiate the just-in-time access process. Each request is tracked and requires admin approval before access is granted.
Wait for Admin Approval
The request from user John Doe for CustomerDataset stays in Pending Approval status until approved by the admin. The request status remains “Pending Approval” until the admin reviews and approves the access. This ensures that data security is maintained and only authorized users gain access.
4. Admin Perspective: Approve or Deny Access Requests
Admins have the responsibility to approve or deny access requests. This step ensures that data access complies with security and governance policies.
Receive Request Notification
The admin receives the request from user John Doe through email and portal notifications for dataset requests. The admin receives notifications through email and the Satori portal, alerting them to the pending access request. This immediate notification allows for timely review and response.
Approve or Deny the Request
The admin can approve or deny the request and might also designate the level of access and when that access expires. Admins can review the request details and decide whether to approve or deny it. They can also define the level of access and set an expiration period to ensure that access is time-bound and secure.
Modify Approval Conditions if Necessary
The admin can choose the pencil icon to edit the request before approval and modify the approval conditions. If necessary, admins have the flexibility to modify the approval conditions before granting access. This could include adjusting the access level or setting specific conditions for the access to be valid.
5. Admin Perspective: Preconfigure User Access Rules
Preconfiguring user access rules allows admins to streamline the access request process. This ensures that access policies are consistently applied and that security measures are upheld.
Go to the Datasets Page and Select User Access Requests
On the Datasets page, choose User Access Requests. Admins navigate to the Datasets page and select “User Access Requests” to manage and configure access rules. These rules govern how and when users can access specific datasets.
Fill Out the Access Request Rule
Fill out the access request rule. Completing the access request rule involves specifying the conditions under which access can be granted. This includes defining user groups, access levels, and expiration periods.
Add the Access Request Rule
Choose Add. Once the access request rule is filled out, admins can add it to the list of preconfigured rules. This rule will then be applied automatically whenever a user requests access, streamlining the approval process and ensuring consistent application of security policies.
6. Clean Up
To avoid unintended costs, it is crucial to clean up any resources provisioned during the setup or demo process. This includes deleting Redshift clusters, security groups, and Satori configurations that are no longer needed.
Admins should ensure that all resources provisioned as part of the setup are deleted to prevent unnecessary expenses. This step is essential for maintaining an efficient and cost-effective data management environment.
7. Summary
From the user’s perspective, accessing data is simple and automated due to the admin’s pre-set rules. Users can go to their personalized data portal to view and request datasets as needed.
Enter the Satori Personalized Data Portal
Find the Satori personalized data portal in the options menu (three vertical dots). This portal shows all datasets, with those already accessible listed under My Data.
View Available Datasets
The data portal displays all datasets. Those already accessible to the user appear under My Data, and others under Available Datasets. This clear layout helps users quickly see what they can access and what they may need.
Request Immediate Access to Desired Dataset
Select the desired dataset, such as CustomerDataset, and request immediate access by choosing “Ask for Access to Dataset.” This starts the request process according to preconfigured self-service rules.
Select Self Service for Access Request
Choose “Self Service” for the access request to follow the admin-set automated rules.
Enter a Reason for the Request
Provide a reason for the request in the Request Message section. This adds a layer of security and ensures requests are justified.
Submit the Request
After specifying the access type and reason, submit the request. If the user’s credentials match the pre-set rules, access is automatically granted, and the dataset will appear under My Data with “Access Granted” status.
