The Resource Policies page opens to a display of resource service groups and resource services.
A resource service represents:
- Connection to one or more data repositories.
- A set of policies.
A resource service group is a collection of services sharing similar attributes and configuration parameter requirements. A service group and its first default service is created in Access Manager: Service Config. The first default service in each service group is assigned a name using the form "privacera_<service_type>" where <service_type> is one of the services available in Service Config: Add Service.
Each resource service contains a set of resource policies, which, in turn, contain access rules for this data resource or subset.
Service/Service Group Global Actions#
Refresh view of service groups and .
Security Zone filter: Service groups and services can be filtered to show only those in selected Security Zones. See Access Manager: Security Zone for more information.
Open an Export Policy dialog. All service types and services in the service group will be pre-loaded. (Click on an X to remove an object (service type or servie) service from the list.) On Save, all policies in the selected elements will be exported to JSON formatted policy set.
Open the Import Policy dialog to import a previously exported policy set. Select the file, service type, then select Source and Destination of the service using the respective drop-down, and then click Import. Multiple Sources and Destinations can be added. Override Policy, if checked, will allow the import to overwrite existing destination service policies. Click Import to initiate the import.
Service Group Actions (available from Service Group header)
Add a new resource-based service, click the Add 'icon in the applicable box on the Resource Policies page. Enter the required configuration details, then click Save. Different service types have different attributes but all service types include a Service Name (required), Description (optional), optional associated Tag Service and accept a Username, Common Name for Certificate, and optional Key/Value pairs.
Export one or more services in the service group. By default, all services in a group are listed in the dialog but can be deselected. All policies in the selected services will be exported to JSON formatted policy set. Click Save to initiate a file browser and save dialog.
Import to open the Import Policy dialog to import a previously exported policy set. Select the file, then select Source and Destination of the service using the respective drop-down, and then click Import. You are allowed to add multiple Sources and Destinations. Check Override Policy, to overwrite destination service existing policies.
(available from each service)
View: View the service details in read-only format.
Edit: Edit the configuration details
Delete: Delete a resource-based service
<service_name> Click on the service name to open the Ranger Service dialog. This option is expanded in the following section.
Click on a service in a service group to open to the Policy definition and management page for this service (titled "Ranger Services"). The page will display a table of the existing polices for this service along with an Add New Policy button.
Each Policy defintion row shows key attributes (Id, Name, Labels, Roles, Groups, and Users).
Under the Action column are three action icons:
- Show Details - Edit - Delete
Policy Id: Each policy is assigned an immutable numeric identifier. These ids are monotonically incremented and unique within each PrivaceraCloud account. Policy identifiers are referenced in the audit trail event messages, so that action taken and recorded to the audit trail is associated with a specific policy.
Policy Name: Polices are assigned a name, either by the system or when created by a portal user. Default, system-created policies can be renamed.
Validity Period: A policy can be defined to be effective only for a period of time. Start and End date/times can be defined (to the minute) with a selectable Time Zone. Use the Add Validity Period button in the upper right to set a validity period for this policy.
Policy Label: Policies can be assigned a new or existing label. Labels assist in filtering and with search reports.
Resource Specifier: Underneath the Policy Label field are the Resource specifiers. These will be different for each type of resource, and the set of specifiers will change depending on the top down choices. For example, by default a Hive resource will display fields for database, table, and column.
However, each prompt field, is a dropdown menu list with other options.
Click on the down-arrow in the database prompt field and there will be two other options: url and global. Select url to specify a URL as the Hive resource. Note that table and column are not relevant to specifying a URL, so those choices are removed.
Condition Sets: These are the rules that are used to determine allowed or denied access to the identified resource(s). Each is defined in terms of a set of data access permissions and data access individual users, user groups, or user roles. The permission selection list is specific to the type of service. For example, for the ADLS service, the permission set is read, write, delete, metadata read, metadata write, and admin.
The following access conditions are available:
- Allow Conditions
- Exclude from Allow Conditions
- Deny Conditions
- Exclude from Deny Conditions
At least one rule must be defined. Rules for the other condition sets can be omitted.
One or more default all... policies are automatically created for any default created services (those named as "privacera_<service_type>"). (The actual policy names are adjusted for each type of service. For example, for hive services, the all policy is named all - database. For database repository oriented services, the default policy name is: all - database, schema, table, column, and so on.).