- PrivaceraCloud Release 4.5
- PrivaceraCloud User Guide
- PrivaceraCloud
- What is PrivaceraCloud?
- Getting Started with Privacera Cloud
- User Interface
- Dashboard
- Access Manager
- Discovery
- Usage statistics
- Encryption and Masking
- Privacera Encryption core ideas and terminology
- Encryption Schemes
- Encryption Schemes
- System Encryption Schemes Enabled by Default
- View Encryption Schemes
- Formats, Algorithms, and Scopes
- Record the Names of Schemes in Use and Do Not Delete Them
- System Encryption Schemes Enabled by Default
- Viewing the Encryption Schemes
- Formats, Algorithms, and Scopes
- Record the Names of Schemes in Use and Do Not Delete Them
- Encryption Schemes
- Presentation Schemes
- Masking schemes
- Create scheme policies on PrivaceraCloud
- Encryption formats, algorithms, and scopes
- Deprecated encryption formats, algorithms, and scopes
- PEG REST API on PrivaceraCloud
- PEG API Endpoint
- Request Summary for PrivaceraCloud
- Prerequisites
- Anatomy of a PEG API endpoint on PrivaceraCloud
- About constructing the datalist for /protect
- About deconstructing the response from /unprotect
- Example of data transformation with /unprotect and presentation scheme
- Example PEG REST API endpoints for PrivaceraCloud
- Audit details for PEG REST API accesses
- Make calls on behalf of another user on PrivaceraCloud
- Privacera Encryption UDF for masking in Databricks
- Privacera Encryption UDFs for Trino
- Syntax of Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera Crypto plug-in for Trino
- Variable values to obtain from Privacera
- Determine required paths to crypto jar and crypto.properties
- Download Privacera Crypto Jar
- Set variables in Trino etc/crypto.properties
- Restart Trino to register the Privacera Crypto UDFs for Trino
- Example queries to verify Privacera-supplied UDFs
- Azure AD setup
- Launch Pad
- Settings
- General functions in PrivaceraCloud settings
- Applications
- About applications
- Azure Data Lake Storage Gen 2 (ADLS)
- Athena
- Privacera Discovery with Cassandra
- Databricks
- Databricks SQL
- Dremio
- DynamoDB
- Elastic MapReduce from Amazon
- EMRFS S3
- Files
- File Explorer for Google Cloud Storage
- Glue
- Google BigQuery
- Kinesis
- Lambda
- Microsoft SQL Server
- MySQL for Discovery
- Open Source Spark
- Oracle for Discovery
- PostgreSQL
- Power BI
- Presto
- Redshift
- Redshift Spectrum
- Kinesis
- Snowflake
- Starburst Enterprise with PrivaceraCloud
- Starburst Enterprise Presto
- Trino
- Datasource
- User Management
- API Key
- About Account
- Statistics
- Help
- Apache Ranger API
- Reference
- Okta Setup for SAML-SSO
- Azure AD setup
- SCIM Server User-Provisioning
- AWS Access with IAM
- Access AWS S3 buckets from multiple AWS accounts
- Add UserInfo in S3 Requests sent via Dataserver
- EMR Native Ranger Integration with PrivaceraCloud
- Spark Properties
- Operational Status
- How-to
- Create CloudFormation Stack
- Enable Real-time Scanning of S3 Buckets
- Enable Discovery Realtime Scanning Using IAM Role
- How to configure multiple JSON Web Tokens (JWTs) for EMR
- Enable offline scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Real-time Scanning on Azure Data Lake Storage Gen 2 (ADLS)
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- PrivaceraCloud
- PrivaceraCloud Previews
- Privacera documentation changelog
Resource Policies
The Resource Policies page displays a list of resource service groups and resource services.
A resource service represents:
Connection to one or more data repositories.
A set of policies.
A resource service group is a collection of services sharing similar attributes and configuration parameter requirements. A service group and its first default service is created in Settings > Applications. For more information about application, see .
The first default service in each service group is assigned a name using the form "privacera_<service_type>".
Each resource service contains a set of resource policies, which, in turn, contain access rules for this data resource or subset.
Service/Service group global actions
Refresh button: updates service groups and resource services.
Security Zone filter: Filter service groups and services to display only those associated with selected Security Zones. For more information about Security Zones, see .
EXPORT button: You can export all service types, and services in the service group will be pre-loaded. You have the option of removing the service type and the service name. Click the Save button, then all policies in the selected elements will be exported to a JSON formatted policy set.
IMPORT button: You can import previously exported policy set. Browse the file and and then Click the IMPORT button. If the Override Policy checkbox is selected then it will allow the import to overwrite existing destination service policies. Click the IMPORT button to initiate the import.
Click the three vertical dots in the service group to see the following actions:
Add Service: a new resource-based service, click the Add 'icon in the applicable box on the Resource Policies page. Enter the required configuration details, then click Save. Different service types have different attributes but all service types include a Service Name (required), Description (optional), optional associated Tag Service and accept a Username, Common Name for Certificate, and optional Key/Value pairs.
Export : You can export one or more services in the service group. By default, all services in a group are listed in the dialog but can be deselected. All policies in the selected services will be exported to JSON formatted policy set. Click Save to initiate a file browser and save dialog.
Import : You can import previously exported policy set. Browse the file and then click the IMPORT button. If the Override Policy checkbox is selected then it will allow the import to overwrite existing destination service policies. Click the IMPORT button to initiate the import.
Service actions
In front of each service type, you will see the following action buttons:
View button: View the service details in read-only format.
Edit button: Edit the configuration details.
Delete button: Delete a resource-based service.
Policy definition
Click a service name (for example, privacera_hive) to open to the Policy definition and management page for this service . The page will display the existing polices for this service along with an Add New Policy button.
Each Policy definition row shows key attributes (Policy ID, Policy Name, Policy Labels, Roles, Groups, Users, and Action).
Under the Action column are three action icons:
Preview button
Edit button
Delete button
To see an individual policy detail, either click the Policy ID number or Edit button. Policy Detail page will be displayed.
The Policy Details page contains the following fields:
Policy Type: The basis for controlling access. For example, a policy can be based on the resource, on a tag, or on a scheme.
Policy Id: Each policy is assigned an immutable numeric identifier. These ids are monotonically incremented and unique within each PrivaceraCloud account. Policy identifiers are referenced in the audit trail event messages, so that action taken and recorded to the audit trail is associated with a specific policy.
Policy Name: Polices are assigned a name, either by the system or when created by a portal user. Default, system-created policies can be renamed.
ADD VALIDITY PERIOD: A policy can be defined as being effective only for a period of time. Start and end dates and times (defined to the minute), as well as a time zone selection
Policy Label: Policies can be assigned a new or existing label. Labels assist in filtering and with search reports.
Add Validity Period: A policy can be defined as being effective only for a period of time. Start and end dates and times (defined to the minute), as well as a time zone selection.
Resource Specifier: Underneath the Policy Label field are the Resource specifiers. These will be different for each type of resource, and the set of specifiers will change depending on the top down choices. For example, by default a Hive resource will display fields for database, table, and column. However, each prompt field, is a drop-down menu list with other options. Click the down-arrow in the database prompt field and there will be two other options: url and global. Select url to specify a URL as the Hive resource. Note that table and column are not relevant to specifying a URL, so those choices are removed.
Description: This field required description of policy which can be used to identify among others policies.
Audit Logging: Enable/disable Audit Logging. Toggle to No, if this policy doesn't need to be audited. By default, it is selected as Yes.
Condition Sets: These are the rules that are used to determine allowed or denied access to the identified resource(s). Each is defined in terms of a set of data access permissions and data access individual users, user groups, or user roles. The permission selection list is specific to the type of service. For example, for the ADLS service, the permission set is read, write, delete, metadata read, metadata write, and admin. The following access conditions are available:
Allow Conditions
Exclude from Allow Conditions
Deny Conditions
Exclude from Deny Conditions
At least one rule must be defined. Rules for the other condition sets can be omitted.
Any service named "privacera_<service type>" automatically creates one or more default all... policies. (The policy names vary depending on the service. For example, the all policy for hive services is all - database. The default policy name for database repository services is all - database, schema, table, column, etc.).
Configure Hive resource policy
This section describes how to configure Hive resource policy, including the Accessed Together and Not Accessed Together policy conditions.
On the Policy Details page, do the following:
Database: Specify the database name.
Table/UDF: Specify the table or udf name
Column: Specify the column name.
Note
By default the 'Include' option is selected to allow access for all the above fields. In case you want to deny access, toggle to the 'Exclude' option.
URL: Specify the cloud storage path. For example - s3a://user/poc/sales.txt where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.
Recursive
Non-recursive
Global: Specify global dataset.
Allow Conditions: In this section, you can specify the policy conditions and permissions for resources.
Policy Conditions: This option allows a user to add custom conditions while evaluating authorization requests. Click the Add Conditions button. In the pop-up, you can see the Accessed Together ? and Non Accessed Together ? conditions.
Accessed Together ?: This option allows you to access a specified request (minimum two columns) in the query format.
For example:
default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC
Above query allows user to access EMP_SSN & CC columns only when both are mentioned together in the query else it will give denied permission error.
Not Accessed Together?: This option denies specified requests (minimum two columns) in the query format.
For example:
default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC
Above query deny user to view EMP_SSN & CC columns data when both are mentioned together in the query and give denied permission error.
Permission: Permissions are common for all the resources, add them as per your requirement.
The list of permissions are:
Select
Update
Create
Drop
Alter
Index
Lock
All
Read
Write
Data_admin