Add a CONNECTION RULE to allow or restrict access to Cirro either before or after login.

Syntax

CREATE {BEFORE | AFTER} CONNECTION RULE
  {ALLOW | ALLOW WITH LOG | DENY | DENY WITHOUT LOG}
  {WHEN | ALWAYS}
  (clause,...)
  {AT POSITION n}
  [DESCRIPTION 'description' | ALERT "cirroalert" | ENABLED [TRUE | FALSE]];

Arguments

  • BEFORE - connection rule that executes when login attempt made. Cannot use MEMBER OF clause.

  • AFTER - connection rule that executes after successful login.

  • ALLOW - allow the clauses that follow without logging.

  • ALLOW WITH LOG - allow and log the clauses that follow.

  • DENY - deny the clauses that follow with logging.

  • DENY WITHOUT LOG - deny the clauses that follow without logging.

  • ALWAYS - Sets the rule to always execute. ALWAYS can only include the ALERT, DESCRIPTION AND ENABLED clauses.

  • WHEN - Allows the rule to use at least one instance of each required clause.

AT POSITION n

  • Numeric value representing the order the rule will be executed.

  • This argument must be positioned immediately after clauses.

Clauses

Different clauses can be linked together using the AND operator. You can use only one of each clause.

Clause Values Description Example
USER IS, IS NOT User account name. Can be a Cirro user or previously logged-in directory services user (e.g., LDAP, Azure AD) USER IS cirrouser
MEMBER OF IS, IS NOT Logged in user is member of specified Cirro role. Can specify user or omit. MEMBER OF MyCirroRole
SYSTEM
DATASOURCE
TARGET
IS, IS NOT Database name SYSTEM IS NOT myoracledb
SOURCE IP IS, IS NOT Website IP address. SOURCE IP IS 127.0.0.1
SOURCE NETWORK IS, IS NOT Subnet in form a.b.c.d/e SOURCE NETWORK IS 192.168.0.1/23
DAY OF WEEK IS BETWEEN, IS NOT BETWEEN Specify a day of the week or two days with the BETWEEN clause DAY OF WEEK IS monday
DAY OF WEEK IS BETWEEN mon AND fri
TIME OF DAY IS BETWEEN, IS NOT BETWEEN 24 hour format, seconds optional. TIME OF DAY IS BETWEEN ‘08:00’ AND ‘17:00’

Optional Clauses

These clauses can be omitted if required.

Clause Description Example
ALERT “name” Name of an existing alert action. This clause is optional ALERT “my alert action”
DESCRIPTION ‘description’ Optional text description of the CONNECTION RULE. This must be last in the statement or precede ENABLED. DESCRIPTION ‘Block user logins on weekends’
ENABLED Optional boolean value of TRUE or FALSE. ENABLED TRUE

Additional Information

  • ENABLED clause

    • Rules are enabled by default.

    • ENABLED FALSE rules are skipped during overall rule execution.

  • Operators

    • Single instances of each clause can be liked together with the AND operator.

    • OR clauses are possible by using lisp syntax. For example:

CREATE {BEFORE | AFTER} CONNECTION RULE "([ALLOW | DENY]   (OR (clause 1) (clause 2 )) (AND (clause 3)  (clause 4)) ) {AT POSITION n}"
  • Clauses

    • Time of Day/Day of Week - Connection rules use the Cirro server time and date. You’ll need to adjust times for connection rules that occur outside the server timezone (e.g., user connecting from Zurich while server is in Canada).

Examples

Deny all connections other than your subnet. This requires two separate rules.

CREATE BEFORE CONNECTION RULE ALLOW WHEN SOURCE NETWORK IS 123.45.67.8/16 AT POSITION 10 DESCRIPTION 'Enable only MyOrganization Logins' ENABLED TRUE;

CREATE BEFORE CONNECTION RULE DENY WITHOUT LOG ALWAYS AT POSITION 20 DESCRIPTION 'Reject all other logins' ENABLED TRUE;

Always allow connections and send notification (requires an alert action)

CREATE BEFORE CONNECTION RULE ALLOW ALWAYS AT POSITION 10 DESCRIPTION 'Send a notification for all connection attempts' ALERT "cirroaltert" ENABLED true;

Secure an app login by URL, alert on invalid attempt

CREATE BEFORE CONNECTION RULE DENY WHEN USER IS powerbi AND SOURCE IP IS NOT 22.33.22.42 AT POSITION 10 ALERT "invalid_powerbi_attempt";

Secure application logins by ip with an alert on an invalid attempt

CREATE BEFORE CONNECTION RULE DENY WHEN USER IS powerbi AND SOURCE IP IS NOT 22.33.22.42 AT POSITION 10 ALERT "invalid powerbi attempt" ENABLED TRUE;

Secure by role and work week

CREATE AFTER CONNECTION RULE ALLOW WHEN MEMBER OF analyst_role AND DAY OF WEEK BETWEEN monday AND friday AT POSITION 10

Log and deny access attempts on specific days and times.

CREATE BEFORE CONNECTION RULE
DENY WHEN USER IS cirrouser AND
DAY OF WEEK IS BETWEEN sat AND sun
AT POSITION 900;
CREATE BEFORE CONNECTION RULE
DENY WHEN USER IS cirrouser AND
TIME OF DAY IS NOT BETWEEN '08:00' AND '17:00'
AT POSITION 901 ALERT "notify admin invalid login";

See Also