Skip to content

PolicySync#

The following table contains the list of custom properties that can be configured for PolicySync connectors. To use a custom property from the table, just add it to the following YML file in the custom-vars folder configured as per your environment:

  • vars.policysync.snowflake.yml
  • vars.policysync.postgres.yml
  • vars.policysync.mssql.yml
  • vars.policysync.redshift.yml
Property Description Values Values
POLICYSYNC_IMAGE_NAME
POLICYSYNC_IMAGE_TAG
POLICYSYNC_ENABLE true, false false

Common#

Property Description Values Default Value

POLICYSYNC_USERLOADER_RANGER_PERSIST_CASE_SENSITIVITY



After loading user/group/roles from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

true, false

false

Memory Variables
POLICYSYNC_HEAP_MIN_MEMORY_MB Minimum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MIN_MEMORY_MB: "1024"
POLICYSYNC_HEAP_MIN_MEMORY Minimum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MIN_MEMORY_MB. For example, POLICYSYNC_HEAP_MIN_MEMORY: "1g"
POLICYSYNC_HEAP_MAX_MEMORY_MB Maximum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MAX_MEMORY_MB: "1024"
POLICYSYNC_HEAP_MAX_MEMORY Maximum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MAX_MEMORY_MB. For example, POLICYSYNC_HEAP_MAX_MEMORY: "1g"
POLICYSYNC_K8S_MEM_REQUESTS_MB Minimum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_REQUESTS_MB: "1024"
POLICYSYNC_K8S_MEM_REQUESTS Minimum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_REQUESTS_MB. For example, POLICYSYNC_K8S_MEM_REQUESTS: "1G"
POLICYSYNC_K8S_MEM_LIMITS_MB Maximum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_LIMITS_MB: "1024"
POLICYSYNC_K8S_MEM_LIMITS Maximum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_LIMITS_MB. For example, POLICYSYNC_K8S_MEM_LIMITS: "1G"
POLICYSYNC_CPU_MIN Minimum amount of Kubernetes CPU to be requested by PolicySync. For example, POLICYSYNC_CPU_MIN: "0.5"
POLICYSYNC_CPU_MAX Maximum amount of Kubernetes CPU to be used by PolicySync. For example, POLICYSYNC_CPU_MAX: "0.5"

Connectors Global Properties#

Snowflake Connector#

Property Description Values Default Value
SNOWFLAKE_MANAGE_DATABASE_LIST Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.
customer,sales  
SNOWFLAKE_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
SNOWFLAKE_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
SNOWFLAKE_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
SNOWFLAKE_IGNORE_DATABASE_LIST

Add the Snowflake databases on which you do not want to apply PolicySync. You can add multiple, comma-separated databases.

By default, DEMO_DB, SNOWFLAKE, UTIL_DB, and SNOWFLAKE_SAMPLE_DATA are the databases that have been ignored. It is recommonded not to remove them from the property, when adding new databases to the list.

Note: Acces-conntrol is not be applied on the databases that have been imported into Snowflake from a different source. It is recommended to add the imported databases to the list of databases to be ignored.

The following is an example of the property. Its value contains the default databases, and COVID19_BY_STARSCHEMA database, on which access-policy will not be applied by PolicySync.

SNOWFLAKE_IGNORE_DATABASE_LIST: "DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA,COVID19_BY_STARSCHEMA"

  DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA
SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP To perform the policysync operations only on the users which are present in the certain specified groups, we need to set this variable value to true. true, false false
SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE To perform the policysync operations only on the users which are present in the certain specified roles, we need to set this variable value to true. true, false false
SNOWFLAKE_ENABLE_VIEW_BASED_ROW_FILTER

Some SQL Databases do not have native capability to provide row filters. As an alternative to row filters on tables, you can create a view based on the row filter conditions specified in the Ranger Row Filter policy. And you can query on these secure views.

true, false true
SNOWFLAKE_ENABLE_VIEW_BASED_MASKING

Some SQL Databases do not have native capability to provide masking. As an alternative to masking on tables, you can create a view based on the masking conditions specified in the Ranger Masking policy. And you can query on these secure views.

true, false false
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME

By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property, if you want to keep these secure views in a separate schema by providing schema name in this property.

 

SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_PREFIX

SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME

 

SNOWFLAKE_SECURE_VIEW_NAME_PREFIX

SNOWFLAKE_SECURE_VIEW_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

 
SNOWFLAKE_SECURE_VIEW_CREATE_FOR_ALL

If you want to create secure views regardless of masking/row filter policy that exist in Privacera Ranger, then set this to true

true, false false
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

SNOWFLAKE_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

SNOWFLAKE_CREATE_USER

Set this value to true if you want policysync to create users in the snowflake.

Set value to false when you don’t want policysync to create users in your snowflake account or if they are already created.

true, false

true

SNOWFLAKE_CREATE_USER_ROLE

Set this value to true if you want policysync to create user roles in the snowflake.

Set value to false when you don’t want policysync to create users in your snowflake account.

true, false

true

SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in SNOWFLAKE_USER_NAME_REPLACE_TO_STRING property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_USER_LOGIN_NAME_USE_EMAIL

Set this property to true when policysync creates users in Snowflake and you want to use the user's email address as a login name.

true, false

false

MSSQL Connector#

MSSQL_LOAD_RESOURCE_FROM_COLUMNS

Set to true if you want to load the resources from MSSQL/Synapse database by using columns list.

Note: This is an experimental and not production-ready.

true, false false
MSSQL_MANAGE_DATABASE_LIST Add the database name to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use only single value for MSSQL.
customer  
MSSQL_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
MSSQL_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
MSSQL_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
MSSQL_MANAGE_USER_FILTERBY_GROUP Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST prop only if they are associated with any group specified in MSSQL_MANAGE_GROUP_LIST true, false false
MSSQL_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST prop only if they are associated with any role specified in MSSQL_MANAGE_ROLE_LIST true, false false
MSSQL_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

MSSQL_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

MSSQL_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the MSSQL_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

MSSQL_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

MSSQL_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the MSSQL_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

MSSQL_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

MSSQL_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the MSSQL_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

MSSQL_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

PostgreSQL Connector#

Property Description Values Default Value
POSTGRES_MANAGE_DATABASE_LIST Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.
customer,sales  
POSTGRES_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
POSTGRES_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
POSTGRES_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
POSTGRES_MANAGE_USER_FILTERBY_GROUP Policy-sync will manage users specified in POSTGRES_MANAGE_USER_LIST prop only if they are associated with any group specified in POSTGRES_MANAGE_GROUP_LIST true, false  
POSTGRES_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in POSTGRES_MANAGE_USER_LIST prop only if they are associated with any role specified in POSTGRES_MANAGE_ROLE_LIST true, false false
POSTGRES_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

POSTGRES_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

POSTGRES_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the POSTGRES_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

POSTGRES_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the POSTGRES_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the POSTGRES_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

POSTGRES_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the POSTGRES_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

POSTGRES_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

Redshift Connector#

Property Description Values Default Value
REDSHIFT_MANAGE_DATABASE_LIST Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.
customer,sales  
REDSHIFT_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
REDSHIFT_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
REDSHIFT_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
REDSHIFT_MANAGE_USER_FILTERBY_GROUP Policy-sync will manage users specified in REDSHIFT_MANAGE_USER_LIST prop only if they are associated with any group specified in REDSHIFT_MANAGE_GROUP_LIST true, false false
REDSHIFT_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in REDSHIFT_MANAGE_USER_LIST prop only if they are associated with any role specified in REDSHIFT_MANAGE_ROLE_LIST true, false false
REDSHIFT_ENABLE_VIEW_BASED_ROW_FILTER Some SQL Databases do not have the native capability to provide row filters. As an alternative to row filters on tables, you can create a view based on the row filter conditions specified in the Ranger Row Filter policy. And you can query on these secure views. true, false true
REDSHIFT_ENABLE_VIEW_BASED_MASKING Some SQL Databases do not have the native capability to provide masking. As an alternative to masking on tables, you can create a view based on the masking conditions specified in the Ranger Masking policy. And you can query on these secure views. true. false true
REDSHIFT_SECURE_VIEW_SCHEMA_NAME By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property if you want to keep these secure views in a separate schema by providing a schema name in this property.    

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the prefix and postfix of the secure view schema name, use these properties. After prefix and postfix is specified, the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable REDSHIFT_SECURE_VIEW_SCHEMA_NAME

   

REDSHIFT_SECURE_VIEW_NAME_PREFIX

REDSHIFT_SECURE_VIEW_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix}

   
REDSHIFT_SECURE_VIEW_CREATE_FOR_ALL If you want to create secure views regardless of the masking/row filter policy that exists in Privacera ranger, then set this to true. true, false false
REDSHIFT_AUDIT_ENABLE      
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

 

REDSHIFT_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

 

REDSHIFT_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the REDSHIFT_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

REDSHIFT_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the REDSHIFT_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the REDSHIFT_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

REDSHIFT_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the REDSHIFT_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

REDSHIFT_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

Databricks SQL#

Property Description Values Default Value
DATABRICKS_SQL_ANALYTICS_ENABLE     FALSE
DATABRICKS_SQL_ANALYTICS_SERVICE_TYPE     databricks_sql_analytics
DATABRICKS_SQL_ANALYTICS_CONNECTOR_NAME     DatabricksSQLAnalytics
DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Get its value from the Prerequisites section.
Use comma-separated values to enter multiple databases.
customer,sales  
DATABRICKS_SQL_ANALYTICS_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
DATABRICKS_SQL_ANALYTICS_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
DATABRICKS_SQL_ANALYTICS_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_MASKING     TRUE
DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_EXCEPTION     FALSE
DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_EXCEPTION_FUNCTION     {database}.PUBLIC.ThrowColumnAccessException('{col}')

DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the user name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

It allows special characters. By default dot, underscore and hyphen special characters are supported.

  [^a-zA-Z0-9._\\\\-\\\\\\\\s+]

DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

It allows special characters. By default dot, underscore and hyphen special characters are supported.

  _

DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

It allows special characters. By default dot, underscore and hyphen special characters are supported.

  [^a-zA-Z0-9._\\\\-\\\\\\\\s+]

DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

  _

DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

  [^a-zA-Z0-9._\\\\-\\\\\\\\s+]

DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

  _

DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_ACCESS_BY_TABLE

The value of this variable should be set to true if you want to apply grants on secure views by using the table policy itself.

true, false true
DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE Specify the text value to be displayed in columns of secure view (columns which don't have Select permission) when column-level access control is applied on the table. For example, DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE: "'# REDACTED #'"

'# REDACTED #'

DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE Specify the text value to be displayed in columns of secure view (columns which has masking policies) when column masking is applied on table. For example, DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE: "'# MASKED #'" '# MASKED #'

Last update: September 24, 2021