Passphrases

When you add a data source to PermissionLayer, you have to enter its credentials, which are then encrypted and saved in our database. This allows the system to automatically synchronize your sources' schemas with PermissionLayer, which is necessary to process queries correctly.

However, some users might prefer not to give us their passwords. They might prefer to use their own keys to encrypt their data, for security reasons. In these cases, they can use a passphrase to secure their data sources passwords.

What are passphrases
What are the technical details of passphrases
Benefits and limitations of using passphrases

1. What are passphrases

Passphrases are special keys used to add a connection to PermissionLayer without giving us access to your database password. They must be entered by admins and users whenever they want to access that source.

This can be done in two ways:

In data analysis tools (PowerBI, Metabase, workbenches, etc) you can enter the passphrase as the password when connecting to PermissionLayer (in conjunction with your API Key as the username)
If you are making an API request, you need to enter the passphrase as a body param, like the example below.

{
    "name": "examplesource",
    "type-id": 1,
    "availability": "all",
    "role": "source",
    "settings": {
            "host": "example.123abc.us-east-2.rds.amazonaws.com",
                        "database-name": "exmp_source",
                        "region-name": "us-east-2",
                        "username": "example",
                        "password": "123password",
                        "host-port": "1234"

      "passphrase": "Our Test Passphrase 8&6"
        }
}

Passphrases are optional, meaning you can choose to apply them only to sources that need tighter security.

Each passphrase is related to a specific data source. This means you can choose different passphrases for each source you create if you prefer. However, most organizations prefer to use the same passphrase across all sources, to make users' lives simpler.

2. What are the technical details of passphrases

All data store in PermisisonLayer's databases is encrypted. Adding a passphrase to a data source adds to that since the passphrase entered is used as a second encryption key. However, we never store passphrases anywhere in our system - which is why admins and users have to enter the source's passphrase every time they want to access that source.

In practice, a passphrase is a way for PermissionLayer's clients to allow users to connect securely to a data source, by doubling the encryption of their password in our servers. Even in the most critical scenarios, these data sources will not be accessible without that client's passphrase.

3. Benefits and limitations of using passphrases

Benefits

Increases security, since no one can access the data source without it's passphrase
We do not store passphrases anywhere in our system
You can choose what sources are passphrase-protected or not

Adding a passphrase to a source increases security and may be required by compliance in some organizations since it is a way to ensure no one outside the organization can access data from that source. It also ensures that your database won't be accessed by unauthorized people, even in extreme scenarios where someone accesses PermissionLayer's database, since only you will have the necessary encryption key for your data source's password.

You can set passphrases for some of your data sources, as it is an optional setting. With this, some of your data sources will have their passwords saved (and encrypted) on PermissionLayer's database and will periodically have their schemas updated. Others will require the passphrase to access, and you will need to click on the Sync Schema button to synchronize that source's schema.

Limitations

Admins have to click the Sync Schema button to synchronize sources with PermissionLayer
Anyone needs to enter the passphrase to access a protected source
Users have to change the password in their tools to access sources with different passphrases

Data sources with passphrases cannot be periodically synchronized by our system, so admins must click the Sync Schema button in the Data Source List to synchronize that source's schema with PermissionLayer, in turn making data from that source available for users (or updating any schema changes).

Anyone that needs to access those data sources needs to use the passphrase as a password or an API param. This means that if you use different passphrases for your data sources, users will have to change the passwords on their analysis tools when changing the data sources they are accessing.

PreviousFiltering data in Metabase using PermissionLayer NextConnection Drivers

Last updated 3 years ago