Skip to content

Creating Resource Based Policies

Create and configure policies that control access to specific resources.

  1. From the home page, click Access Management > Resource Policies.

  2. Click a service in one of the service groups.

  3. Click Add New Policy.

  4. Configure the new resource policy.

Configuration Settings Common to All Policies#

Policies contain rules of access to be associated with a particular data resource or a subset of that resource. Specific policy attributes differ depending on the policy type, but all policies contain the following attributes:

  • Policy Type: The basis for controlling access. For example, a policy can be based on the resource, on a tag, or on a scheme.

  • Policy Name: Polices are assigned a name, either by the system or when created by a portal user. Default, system-created policies can be renamed. The policy name should unique and can not be duplicated across the system.  

  • Normal/Override: This option allows you to select policy type whether it is a 'Normal' or 'Override' policy. If you select 'Override', access permissions in the policy override the access permissions in existing policies. 

  • Enable/Disable: By default, the policy is enabled. If the policy is not required, you can disable it by switching to 'Disabled' mode.

  • Policy Id: Each policy is assigned an immutable numeric identifier. These IDs are incremented and unique within each account. Policy identifiers are referenced in the audit trail event messages, so that action taken and recorded to the audit trail is associated with a specific policy.

  • Policy Label: A descriptive label that helps users find this policy when searching for policies and filtering policy lists.

  • Resource Specifier: These will be different for each type of resource, and the set of specifiers will change depending on the top down choices.

    The autocomplete feature is available only if you have defined PolicySync connectors for the following services:

    • Postgres
    • Redshift
    • MSSQL
    • Snowflake
    • Databricks SQL
  • Validity Period: A policy can be defined to be effective only for a period of time. Start and End date/times (defined to the minute), with a selectable Time zone.

  • Description: This field required description of policy which can be used to identify among others policies.

  • Audit Logging: Enable/disable Audit Logging. Toggle to 'No', if this policy doesn't need to be audited. By default, it is selected as 'Yes'. 

  • Condition Sets: The rules that allow or deny access to a resource. Available permissions are specific to the type of service. There are four access conditions:

    • Allow Conditions

    • Exclude from Allow Conditions

    • Deny Conditions

    • Exclude from Deny Conditions

At least one rule must be defined. One or more default 'all...' policies are automatically created for any default created services (those named as "privacera_<service_type>"). Policy names reflect the type of service.

Service-Specific Policy Configuration Settings#

Service NameSupported Policy Type
HivePrestoMS SQLPostgresSnowflake Access, Masking, Row Level Filter

S3, DynamoDBAthena, Glue, Redshift,

KinesisLambdaADLSKafkaPowerBI,

GCSGBQ, and Files.

Access

Hive#

  • Database: Specify the database name.

    • Table/UDF: Specify the table or udf name.

    • Column: Specify the column name.

    Note: By default 'Include' option is selected to allow access for all the above fields. In case of deny access, toggle to 'Exclude' option.

  • URL: Specify the cloud storage path. For example - s3a://user/poc/sales.txt where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.

    • Recursive

    • Non-recursive

  • Global: Specify global dataset.

  • Allow Conditions:

    • Policy Conditions: This option allows user to add a custom conditions while evaluating authorization requests.

      • Accessed Together ?: This option allows user to access specified request (minimum 2 columns) in the query format.

        For example: default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC

        Above query allows user to access EMP_SSN & CC columns only when both are mentioned together in the query else it will give denied permission error.

      • Not Accessed Together?: This option deny specified request (minimum 2 columns) in the query format.

        For example: default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC

        Above query deny user to view EMP_SSN & CC columns data when both are mentioned together in the query and gives denied permission error.

    • Permission: Add permissions as per the requirement. The list of permissions are -

      • Select:

      • Update:

      • Create:

      • Drop:

      • Alter:

      • Index:

      • Lock:

      • All:

      • Read:

      • Write:

Hive - Masking Policy#

  • Hive Database: Select the appropriate database. This field holds the list of Hive databases.

  • Hive Table: Select the appropriate table. This field holds the list of Hive tables.

  • Hive Column: Select the appropriate column. This field holds the list of Hive columns.

  • Masking Conditions:

    • Permissions: Tick the permission as 'Select'. At present, only 'Select' permission is available. 

    • Select Masking Options: You are allowed to select only one masking option from the below list -

      • Redact: This option mask all the alphabetic characters with 'x' and all numeric characters with 'n'.

      • Partial mask: show last 4 – This option shows only the last four characters.

      • Partial mask: show first 4 – This option shows only the first four characters.

      • Hash: This option replaces all the characters with '#' of entire cell value.

      • Nullify: This option replaces all the characters with NULL value.

      • Unmasked (retain original value): This option is used when no masking is required.

      • Date: show only year: This option shows only the year portion of a date string and default the month and day to 01/01.

      • Custom: Using this option you need to mention a custom masked value or expression. Custom masking can use any valid Hive UDF (Hive that returns the same data type as the data type in the column being masked).

Hive - Row Level Filter#

  • Hive Database: Enter the appropriate database name.

  • Hive Table: Enter the appropriate table name.

  • Row Level Conditions:

    • Permissions: Click the Add Permissions and tick as 'Select'. At present, only 'Select' permission is available. 

    • Row Level Filter: Click the Add Row Filter and enter the valid SQL predicate for whom the policy will be applied based on selected role/groups/users. Note: Row level filtering works by adding the predicate to the query, if this is not a valid SQL query, then it can be failed. If you do not wish to apply row level filter then keep this field blank. In this case, only 'Select' access will be applied.

AWS S3#

  • Bucket Name: Specify the bucket name. For example: aws-athena-query-result

    Note: Wildcard characters such as '*' are allowed if you want to give access to all buckets. |

  • Object Path: Specify the object path. It accepts wildcard character such as '*'.

    • Recursive: This allows you to view multiple folders based on the mentioned object path.

    • Non-recursive: This allows you to view specific folders based on the mentioned object path.

Example:

If the Bucket name is {bucket-AWS} and the Object path is {path1},

  • Sample 1: s3://bucket-AWS/path1/

  • Sample2: s3://bucket-name/path1/path2/

If recursive is selected, then you are allowed to view files in folder path1, as well as you will be able to view files in folder path2.

If it is selected as Non-recursive, then only till path1 you will be able to see it.

  • Allow Conditions:

    • Permissions: 

      • Read: READ permission on the URL permits the user to perform HiveServer2 operations which use S3 as a data source for Hive tables. 

      • Write: WRITE permission on the URL permits the user to perform HiveServer2 operations which write data to the specified S3 location. 

      • Delete: DELETE permission allows you to delete the resource.  

      • Metadata Read: METADATA READ permission allows you to run HEAD operation on objects. Also, this permission list buckets, list objects and retrieves objects metadata. 

      • Metadata Write: METADATA WRITE permission allows you to modify object's metadata and object's ACL, Tagging, Cros, etc. 

      • Admin: Administrators can edit or delete the policy, and can also create child policies based on the original policy.

Presto#

  • Catalog: Specify the catalog name.

    • Schema: Specify the schema name. 

    • Sessionproperty: Specify the session property. 

    • Table: Specify the table name.

    • Procedure: Specify the procedure name.

    • Column: Specify the column name.

  • Prestouser:

  • Systemproperty:

  • Function: 

  • Allow Conditions:

    • Permissions:

      • Select

      • Insert

      • Create

      • Drop

      • Delete

      • Use

      • Alter

      • Grant

      • Revoke

      • Show

      • Impersonate

      • All

      • Execute

      • Create View

  • Delegate Admin: Assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Presto - Masking Policy#

  • Presto Catalog

  • Presto Schema

  • Presto Table

  • Presto Column

  • Masking Conditions:

    • Permissions

      • Select: Tick the permission as 'Select'. At present, only 'Select' permission is available. 
    • Select Masking Option: You are allowed to select only one masking option from the below list.

      • Redact: This option mask all the alphabetic characters with 'x' and all numeric characters with 'n'.

      • Partial mask: show last 4 – This option shows only the last four characters.

      • Partial mask: show first 4 – This option shows only the first four characters.

      • Hash: This option replaces all the characters with '#' of entire cell value.

      • Nullify: This option replaces all the characters with NULL value.

      • Unmasked (retain original value): This option is used when no masking is required.

      • Date: show only year: This option shows only the year portion of a date string and default the month and day to 01/01.

      • Custom: Using this option you need to mention a custom masked value or expression.

Presto - Row Level Filter#

  • Presto Catalog

  • Presto Schema

  • Presto Table

  • Row Level Conditions:

    • Permissions: Click the Add Permissions and tick as 'Select'. At present, only 'Select' permission is available.  

    • Row Level Filter: Click the Add Row Filter and enter the valid SQL predicate to which the policy will be applied based on selected role/groups/users. Note: Row level filtering works by adding the predicate to the query. If the query is not valid, it will fail.

DynamoDB#

  • Table: Specify the table name. 

  • Attribute: Specify the attribute name.

  • Allow Conditions

    • Permissions:

      • Read

      • Write

      • Create

      • Delete

      • List tables

      • Admin

  • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​. 

Athena#

  • Workgroup: Specify the workgroup name of Athena. 

    • Datasource: Specify the name of datasource.

    • Database: Specify the name of database. 

    • Table: Specify the name of table. 

    • Column: Specify the name of column.

  • URL: Specify the cloud storage path. For example - s3a://user/poc/sales.txt where the end-user permission is needed to access the data from/to a cloud storage path.

  • Allow Conditions:

    • Permissions:

      • BatchGetNamedQuery

      • BatchGetQueryExecution

      • CreateNamedQuery

      • CreateWorkGroup

      • DeleteNamedQuery

      • DeleteWorkGroup

      • GetNamedQuery

      • GetQueryExecution

      • GetQueryResults

      • GetWorkGroup

      • ListNamedQueries

      • ListQueryExecutions

      • ListTagsForResource

      • ListWorkGroups

      • StartQueryExecution

      • StopQueryExecution

      • TagResource

      • UntagResource

      • UpdateWorkGroup

      • Alter

      • Create

      • Describe

      • Drop

      • Insert

      • MSCK Repair

      • Select

      • Show

      • ListDataCatalogs

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Glue#

  • Database: Specify the database name.

  • Table: Specify the table name.

    Note: You are allowed to enter wildcard character such as '*'. in above fields.

  • Allow Conditions:

    • Permissions:

      • GetCatalogImportStatus

      • GetDatabases

      • GetDatabase

      • GetTables

      • GetTable

      • CreateTable

      • CreateDatabase

      • DeleteDatabase

      • DeleteTable

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​. 

Redshift#

  • Global: Specify the Redshift hosted IP. To get Redshift hosted ip, connect with Redshift environment and run this query: SELECT inet_server_addr() as host, inet_server_port() as port

  • Database: Specify the database name.

    • Schema: Specify the schema name.  

    • Table: Specify the table name.  

    • Column: Specify the column name.

  • Cluster: Specify the cluster ip.

  • Allow Condition:

    • Permissions:

      • Create Database

      • Create Schema

      • Usage Schema

      • Create Table

      • Select

      • Insert

      • Update

      • Delete

      • ListClusters

      • CreateCluster

      • UpdateCluster

      • DeleteCluster

      • ResizeCluster

      • PauseCluster

      • RebootCluster

      • CreateSnapshot

      • RestoreSnapshot 

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Kinesis#

  • Kinesis_Datastream: Specify the datastream name.

  • Kinesis_Firehose: Specify the firehose name.

  • Allow Conditions:

    • Permissions:

      • PutRecord

      • CreateDeliveryStream

      • DeleteDeliveryStream

      • DeleteDeliveryStream

      • ListDeliveryStreams

      • UpdateDestination

      • PutRecordBatch

      • ListTagsForDeliveryStream

      • StartDeliveryStreamEncryption

      • StopDeliveryStreamEncryption

      • TagDeliveryStream

      • UntagDeliveryStream

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Lambda#

  • Function: Specify the funcation name of Lambda.

  • Layer: Specify the layer name of Lambda. 

    Note: You are allowed to enter wildcard characters such as '*'.

  • Allow Conditions:

    • Permissions:

      • ListAliases

      • ListEventSourceMappings

      • ListFunctionEventInvokeConfigs

      • ListFunctions

      • ListLayers

      • ListLayerVersions

      • ListProvisionedConcurrencyConfigs

      • ListVersionsByFunction

      • GetAccountSettings

      • GetAlias

      • GetEventSourceMapping

      • GetFunction

      • GetFunctionConcurrency

      • GetFunctionConfiguration

      • GetFunctionEventInvokeConfig

      • GetLayerVersion

      • GetLayerVersionByArn

      • GetLayerVersionPolicy

      • GetPolicy

      • GetProvisionedConcurrencyConfig

      • ListTags

      • CreateAlias

      • CreateEventSourceMapping

      • CreateFunction

      • DeleteAlias

      • DeleteEventSourceMapping

      • DeleteFunction

      • DeleteFunctionConcurrency

      • DeleteFunctionEventInvokeConfig

      • DeleteLayerVersion

      • DeleteProvisionedConcurrencyConfig

      • InvokeFunction

      • PublishLayerVersion

      • PublishVersion

      • PutFunctionConcurrency

      • PutFunctionEventInvokeConfig

      • PutProvisionedConcurrencyConfig

      • TagResource

      • UntagResource

      • UpdateAlias

      • UpdateEventSourceMapping

      • UpdateFunctionCode

      • UpdateFunctionConfiguration

      • UpdateFunctionEventInvokeConfig

      • AddLayerVersionPermission

      • AddPermission

      • RemoveLayerVersionPermission

      • RemovePermission

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

MSSQL#

  • Database

  • Schema

  • Table

  • Column

  • Allow Conditions:

    • Permissions

      • Create Database

      • Create Schema

      • Create Table

      • Select

      • Insert

      • Update

      • Delete

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​. 

MSSQL - Masking Policy#

  • Database

  • Schema

  • Table

  • Column

  • Masking Conditions:

    • Permissions

      • Select
    • Select Masking Options:

      • Default

      • Nullify: This option replaces all the characters with NULL value. 

      • Unmasked: This option is used when no masking is required. 

      • Custom: Using this option you need to mention a custom masked value or expression. 

MSSQL - Row Level Filter#

  • Database

  • Schema

  • Table

  • Row Level Conditions:

    • Permissions: Click the Add Permissions and tick as 'Select'. At present, only 'Select' permission is available.

    • Row Level Filter: Click the Add Row Filter and enter the valid SQL predicate for whom the policy will be applied based on selected role/groups/users. Note: Row level filtering works by adding the predicate to the query. If the query is not valid, it will fail.

ADLS#

  • Account Name

  • Container Name

  • Object Path

  • Allow Conditions:

    • Permissions:

      • Read: READ permission on the URL permits the user to perform HiveServer2 operations which use S3 as a data source for Hive tables. 

      • Write: WRITE permission on the URL permits the user to perform HiveServer2 operations which write data to the specified S3 location. 

      • Delete: DELETE permission allows you to delete the resource.  

      • Metadata Read: METADATA READ permission allows you to run HEAD operation on objects. Also, this permission list buckets, list objects and retrieves objects metadata.  

      • Metadata Write: METADATA WRITE permission allows you to modify object's metadata and object's ACL, Tagging, Cros, etc.  

      • Admin: Administrators can edit or delete the policy, and can also create child policies based on the original policy. 

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Postgres#

  • Global

  • Database

    • Schema

    • Table

    • Column

  • Allow Conditions:

  • Permissions:

    • Create Database

    • Connect Database

    • Create Schema

    • Usage Schema

    • Create Table

    • Select

    • Insert

    • Update

    • Delete

    • Truncate

  • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Postgres - Masking Policy#

  • Database

  • Schema

  • Table

  • Column

  • Masking Conditions:

    • Permissions

      • Select
    • Select Masking Option:

      • Default:

      • Nullify: This option replaces all the characters with NULL value. 

      • Unmasked: This option is used when no masking is required. 

      • Custom: Using this option you need to mention a custom masked value or expression. 

Postgres - Row Level Filter#

  • Database

  • Schema

  • Table

  • Row Level Conditions:

    • Permissions: Click the Add Permissions and tick as 'Select'. At present, only 'Select' permission is available.

    • Row Level Filter: Click the Add Row Filter and enter the valid SQL predicate for whom the policy will be applied based on selected role/groups/users. Note: Row level filtering works by adding the predicate to the query. If the query is not valid, it will fail.

Kafka#

  • Topic

  • Transactionalid

  • Cluster

  • Delegationtoken

  • Consumergroup

  • Policy Conditions

    • Add Conditions
  • Allow Conditions:

    • Policy Conditions

      • Add Conditions
    • Permissions

      • Consume

      • Describe

      • Delete

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Snowflake#

  • Warehouse: Specify the warehouse name of Snowflake.

  • Database: Specify the database name.

    • Schema: Specify the schema name.

    • Table/View: Specify the table or view name.

    • Column: Specify the column name.

  • Global: Specify the snowflake account name. To get snowflake account name, connect with Snowflake environment and run this query: select current_account() as account

  • Allow Conditions

    • Permissions

      • CreateSchema

      • CreateTmpTable

      • CreateTable

      • UseSchema

      • Select

      • Insert

      • Update

      • Delete

      • UseDB

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​. 

Note

When you create a policy for a table with UPDATE and DELETE permissions granted to a user/group/role, you must choose the SELECT permission along with it.

Snowflake - Masking Policy#

  • Database: Specify the database name.

  • Schema: Specify the schema name.

  • Table/View: Specify the table or view name.

  • Column: Specify the column name. 

  • Masking Conditions:

    • Permissions: Tick the permission as 'Select'. At present, only 'Select' permission is available.

    • Select Masking Option: You are allowed to select only one masking option from the below list -

      • Default:

      • Hash: This option replaces all the characters with '#' of entire cell value.

      • Nullify: This option replaces all the characters with NULL value.

      • Unmasked (retain original value): This option is used when no masking is required.

      • Regular expression:

      • Literal mask:

      • Partial mask: show last 4 - This option shows only the last four characters.

      • Partial mask: show first 4 - This option shows only the first four characters.

      • Protect:

      • Unprotect:

      • Custom: Using this option you need to mention a custom masked value or expression.

Snowflake - Row Level Filter#

  • Database: Specify the database name.

  • Schema: Specify the schema name. 

  • Table: Specify the table name. 

  • Row Level Conditions:

    • Permissions: Click the Add Permissions and tick as 'Select'. At present, only 'Select' permission is available.

    • Row Level Filter: Click the Add Row Filter and enter the valid SQL predicate for whom the policy will be applied based on selected role/groups/users. Note: Row level filtering works by adding the predicate to the query. If the query is not valid, it will fail.

PowerBI#

  • Workspace

  • Allow Conditions:

    • Permissions

      • Contributor

      • Member

      • Admin

      • None

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

GCS#

  • Project ID

  • Bucket Name

  • Object Path

    • Recursive/Non-recursive:
  • Allow Conditions

    • Permissions:

      • Read: READ permission on the URL permits the user to perform HiveServer2 operations which use S3 as a data source for Hive tables. 

      • Write: WRITE permission on the URL permits the user to perform HiveServer2 operations which write data to the specified S3 location. 

      • Delete: DELETE permission allows you to delete the resource. 

      • Metadata Read: METADATA READ permission allows you to run HEAD operation on objects. Also, this permission list buckets, list objects, and retrieves objects metadata. 

      • Metadata Write: METADATA WRITE permission allows you to modify object's metadata and object's ACL, Tagging, Cros, etc.  

      • Admin: Administrators can edit or delete the policy, and can also create child policies based on the original policy. 

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

GBQ#

  • Project ID

  • Dataset Name

  • TableName

  • Column Name 

  • Allow Conditions

    • Permissions

      • CreateTable

      • CreateTableAsSelect

      • CreateView

      • Delete

      • DropTable

      • DropView

      • Insert

      • Query

      • Update

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Files#

  • Resource Path

    • Recursive/Non-Recursive:
  • Allow Conditions

    • Permissions

      • Read

      • Write

    • Delegate Admin: Select 'Delegate Admin' to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy​.

Databricks#

By default, Databricks File System (DBFS) is protected by Privacera. This blocks common tasks like adding jars/libraries into the cluster. For example, when you try to install a library into a protected DBFS cluster, the following exception will be displayed:

Exception

Exception while installing a Jar in Databricks Cluster with Plugin enabled? java.lang.RuntimeException: ManagedLibraryInstallFailed: java.security.AccessControlException: Access denied for resource [dbfs:/local_disk0/tmp/addedFile4604599454488620309privacera_crypto_jar_with_dependencies-eba20.jar] action [READ] for library:JavaJarId(dbfs:/privacera/crypto/jars/privacera-crypto-jar-with-dependencies.jar,,NONE),isSharedLibrary=false

To grant permissions to read/write on DBFS, you need to create an access policy. Also, the access to DBFS will be audited.

To create an access policy for Databricks, do the following:

  1. Go to Access Management > Resource Policies > privacera_files.
  2. Click Add New Policy.
  3. Enter the following details:

    1. Policy Name: Access to Temporary Folder for adding libraries
    2. Resource: dbfs:/local_disk0/tmp

      Note

      Make sure recursive box next to the Resource field is checked.

    3. Group: public

    4. Permission: read & write

Note

The above policy gives permission to all the users. If you want to restrict to only certain users, then instead of giving permission to the group public, provide it to appropriate users or groups.


Last update: September 9, 2021