PrivaceraCloud Documentation

Resource Policies
:

The Resource Policies page displays a list of resource service groups and resource services.

A resource service represents:

  • Connection to one or more data repositories.

  • A set of policies.

A resource service group is a collection of services sharing similar attributes and configuration parameter requirements. A service group and its first default service is created in Settings > Applications. For more information about application, see .

The first default service in each service group is assigned a name using the form "privacera_<service_type>".

Each resource service contains a set of resource policies, which, in turn, contain access rules for this data resource or subset.

Service/Service group global actions
  • Refresh button: updates service groups and resource services.

  • Security Zone filter: Filter service groups and services to display only those associated with selected Security Zones. For more information about Security Zones, see .

  • EXPORT button: You can export all service types, and services in the service group will be pre-loaded. You have the option of removing the service type and the service name. Click the Save button, then all policies in the selected elements will be exported to a JSON formatted policy set.

  • IMPORT button: You can import previously exported policy set. Browse the file and and then Click the IMPORT button. If the Override Policy checkbox is selected then it will allow the import to overwrite existing destination service policies. Click the IMPORT button to initiate the import.

  • Click the three vertical dots in the service group to see the following actions:

    • Add Service: a new resource-based service, click the Add 'icon in the applicable box on the Resource Policies page. Enter the required configuration details, then click Save. Different service types have different attributes but all service types include a Service Name (required), Description (optional), optional associated Tag Service and accept a Username, Common Name for Certificate, and optional Key/Value pairs.

    • Export : You can export one or more services in the service group. By default, all services in a group are listed in the dialog but can be deselected. All policies in the selected services will be exported to JSON formatted policy set. Click Save to initiate a file browser and save dialog.

    • Import : You can import previously exported policy set. Browse the file and then click the IMPORT button. If the Override Policy checkbox is selected then it will allow the import to overwrite existing destination service policies. Click the IMPORT button to initiate the import.

Service actions

In front of each service type, you will see the following action buttons:

  • View button: View the service details in read-only format.

  • Edit button: Edit the configuration details.

  • Delete button: Delete a resource-based service.

Policy definition

Click a service name (for example, privacera_hive) to open to the Policy definition and management page for this service . The page will display the existing polices for this service along with an Add New Policy button.

Each Policy definition row shows key attributes (Policy ID, Policy Name, Policy Labels, Roles, Groups, Users, and Action).

Under the Action column are three action icons:

  • Preview button

  • Edit button

  • Delete button

To see an individual policy detail, either click the Policy ID number or Edit button. Policy Detail page will be displayed.

The Policy Details page contains the following fields:

  • Policy Type: The basis for controlling access. For example, a policy can be based on the resource, on a tag, or on a scheme.

  • Policy Id: Each policy is assigned an immutable numeric identifier. These ids are monotonically incremented and unique within each PrivaceraCloud account. Policy identifiers are referenced in the audit trail event messages, so that action taken and recorded to the audit trail is associated with a specific policy.

  • Policy Name: Polices are assigned a name, either by the system or when created by a portal user. Default, system-created policies can be renamed.

  • ADD VALIDITY PERIOD: A policy can be defined as being effective only for a period of time. Start and end dates and times (defined to the minute), as well as a time zone selection

  • Policy Label: Policies can be assigned a new or existing label. Labels assist in filtering and with search reports.

  • Add Validity Period: A policy can be defined as being effective only for a period of time. Start and end dates and times (defined to the minute), as well as a time zone selection.

  • Resource Specifier: Underneath the Policy Label field are the Resource specifiers. These will be different for each type of resource, and the set of specifiers will change depending on the top down choices. For example, by default a Hive resource will display fields for database, table, and column. However, each prompt field, is a drop-down menu list with other options. Click the down-arrow in the database prompt field and there will be two other options: url and global. Select url to specify a URL as the Hive resource. Note that table and column are not relevant to specifying a URL, so those choices are removed.

  • Description: This field required description of policy which can be used to identify among others policies.

  • Audit Logging: Enable/disable Audit Logging. Toggle to No, if this policy doesn't need to be audited. By default, it is selected as Yes.

  • Condition Sets: These are the rules that are used to determine allowed or denied access to the identified resource(s). Each is defined in terms of a set of data access permissions and data access individual users, user groups, or user roles. The permission selection list is specific to the type of service. For example, for the ADLS service, the permission set is read, write, delete, metadata read, metadata write, and admin. The following access conditions are available:

    • Allow Conditions

    • Exclude from Allow Conditions

    • Deny Conditions

    • Exclude from Deny Conditions

At least one rule must be defined. Rules for the other condition sets can be omitted.

Any service named "privacera_<service type>" automatically creates one or more default all... policies. (The policy names vary depending on the service. For example, the all policy for hive services is all - database. The default policy name for database repository services is all - database, schema, table, column, etc.).

Configure Hive resource policy

This section describes how to configure Hive resource policy, including the Accessed Together and Not Accessed Together policy conditions.

On the Policy Details page, do the following:

  • Database: Specify the database name.

    • Table/UDF: Specify the table or udf name

    • Column: Specify the column name.

      Note

      By default the 'Include' option is selected to allow access for all the above fields. In case you want to deny access, toggle to the 'Exclude' option.

  • URL: Specify the cloud storage path. For example - s3a://user/poc/sales.txt where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.

    • Recursive

    • Non-recursive

  • Global: Specify global dataset.

  • Allow Conditions: In this section, you can specify the policy conditions and permissions for resources.

    • Policy Conditions: This option allows a user to add custom conditions while evaluating authorization requests. Click the Add Conditions button. In the pop-up, you can see the Accessed Together ? and Non Accessed Together ? conditions.

      • Accessed Together ?: This option allows you to access a specified request (minimum two columns) in the query format.

        For example:

        default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC

        Above query allows user to access EMP_SSN &amp; CC columns only when both are mentioned together in the query else it will give denied permission error.

      • Not Accessed Together?: This option denies specified requests (minimum two columns) in the query format.

        For example:

        default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC

        Above query deny user to view EMP_SSN &amp; CC columns data when both are mentioned together in the query and give denied permission error.

    • Permission: Permissions are common for all the resources, add them as per your requirement.

      The list of permissions are:

      • Select

      • Update

      • Create

      • Drop

      • Alter

      • Index

      • Lock

      • All

      • Read

      • Write

      • Data_admin