Access Manager Basics
The Access Manager user interface contains functions for policy management (resource and tag Policies), data access audits (Audit), data user management, and data service management. It also includes reports which provide policy view, security zones which provide means to scope views, and permissions which manage user and group right augmentation.
Polices are rule sets for usage and access. Each rule specifies a scope of control, access type, a set of user identities allowed or denied use, along with enforcement periods. Access control list schemes support both “Allow”, and “Deny” access as well as “Exclude from Allow” and “Exclude from Deny”.
Resource Policies and Tag Policies are concerned with access to data.
Controlled access datasets are subsets of connected data repositories and databases, defined by any combination of database, table, and column access (wildcards supported) or for filesystem/object stores based on object, file, folder names (with wildcard support for paths).
For Resource Policies, the scope of control is data accessible through the connected data repositories as defined by resource paths.
For databases structured resources, scope is specified in terms of database, table, and column access. The type of access is defined based on the actions that can be performed on that particular type of database, such as “Select”, “Update”, “Create”, “Drop”, “Alter”, etc.
For filesystem/object stores, the scope is defined in terms of access to a blob, object, file, folder, and so on. Permission rules will be in the form of file actions such as "Read”, “Write”, "Delete" and so on.
For Tag Policies, the scope of control are those data elements that have been assigned a metadata label or tag. Tag Policies are defined in terms of the tags rather than the tagged data itself or the location of the data itself.
Scheme Policies are used to specify user access to encryption and decryption services provided by the Privacera Encryption Gateway (PEG). The Scheme Policies page is enabled when the PEG service is connected.
Data Access Users#
Identities allowed or denied access are known as data access users. Users can be part of a Group, or be assigned a data access Role. Native PrivaceraCloud individual data access users, along with management of group and roles are defined internally in PrivaceraCloud and are managed in Users/Groups/Roles Alternatively, data access users and groups can be imported for one-way synchronization with an external directory service or identity service based on LDAP or SCIM. This import can be configured in the Setup Wizard or in Setting: Data Source.
Enforcement periods can be specified with start and end dates/times.
Resource Policies: Create and manage Resource Policies.
Tag Policies: Create and manage Tag Policies.
Scheme Policies: Create and manage Scheme Policies.
Service Explorer: Data resource services, also call connectors, viewing with drilldown through databases, schemas, and tables, annotated with policy defined data user access.
Users/Groups/Roles: Data user access management, supporting creation and management of data access users, groups, and roles.
Permissions: This page manages data access users and groups access to functional modules in the PrivaceraCloud hosted Apache Ranger module.
Reports: List defined policies.
Audit: Privacera supports full logging of all access, installation, and configuration events.
Security Zone: Security Policies can be established and maintained based on administrative rights.
Service Config:Service interface to add or deactivate a data service such as hive, s3, or adls.