Universal data authorization
Field level authorization
Field-level controls bind security policies directly to data types, ensuring consistent protection wherever sensitive data appears.
Regardless if DateOfBirth appears in your customer database or a Kafka topic, the same privacy rules follow the data automatically.
Policies as code
From simple role-based rules to complex data-driven logic, express your security requirements as code that travels with your data types.
Define once, automatically enforce everywhere.
Consistent, global auth
Define your policies once, and they’re automatically applied across Kafka, Lambda, databases, APIs, and more.
A simple git push updates everything consistently across your system.
Use cases
Authorization for the real world
From masking PII data to enforcing team-based access across microservices - implement consistent authorization policies in minutes.
Policies are automatically applied across your databases, APIs, event streams, and caches.
policy OnlyManagers against EmployeeInfo (user : User) -> {
read {
when {
// Managers can see everything
user.groups.contains('Manager') -> EmployeeInfo
// Users can see everything except salary
user.groups.contains('User') -> EmployeeInfo as {
... except { salary }
}
// Everyone else gets an error
else -> throw((NotAuthorizedError) { message: 'Not Authorized' })
}
}
}policy OnlyManagers against EmployeeInfo (user : User) -> {
read {
when {
// Managers can see everything
user.groups.contains('Manager') -> EmployeeInfo
// Users can see everything except salary
user.groups.contains('User') -> EmployeeInfo as {
... except { salary }
}
// Everyone else gets an error
else -> throw((NotAuthorizedError) { message: 'Not Authorized' })
}
}
}// Define some PII
type FirstName inherits String, PII
type LastName inherits String, PII
// Now secure it
// Anything that serves PII data (API calls, db queries, kafka streams)
// has this policy applied against it
policy MaskPiiData against PII (user: User) -> {
read {
when {
// Admins see everything:
user.roles.contains('ADMIN') -> PII
// ...otherwise mask it
else -> concat(left(PII,3), '****')
}
}
// The event
model StockTradeEvent {
symbol : Symbol
price: Price
customerName : CustomerName
}
// A policy to secure it
policy FilterCustomerFromTrade against StockTradeEvent (user: User) -> {
read {
when {
// Managers see everything
user.roles.contains('MANAGER') -> StockTradeEvent
// Everyone else has customer hidden
else -> StockTradeEvent as { .... except { customerName }
}
}
}
// Now stream it securely
stream { StockTradeEvent }
// Access Control Policy
// Implements three-tier access:
// 1. Managers: Full access to all trade data
// 2. Restricted company trades: No access (filtered out)
// 3. Standard users: Limited access with hidden customer and quantity
policy FilterCustomerFromTrade against StockTradeEvent (
trade: StockTradeEvent,
user: User,
sensitiveCompanies: SensitiveCompanyList
) -> {
read {
when {
// TIER 1: Manager access - full visibility
user.roles.contains('MANAGER') -> StockTradeEvent
// TIER 2: Restricted company filter
// Removes entire trade record if trading entity is classified
sensitiveCompanies.companies.contains(trade.tradingEntity) -> null
// TIER 3: Standard access
// Shows trade but hides sensitive fields
else -> StockTradeEvent as { ... except { tradingEntity, tradedQuantity } }
}
}
}
Easily the best decision I've made was building our startup on Orbital. We got our platform built and operational in record time, with data pipelines and bespoke APIs for connecting our client data feeds.
The Orbital partnership was really easy. Their data platform made ingesting and performing complex data transformations simple.
The team were great to work with, and were able to quickly enhance the platform where required to suit our use case.
Frequently asked questions
Got another gnarly question? We'd love to hear it. Come and chat on Slack.