Skip to content

PolicySync#

The following table contains the list of custom properties that can be configured for PolicySync connectors. To use a custom property from the table, just add it to the following YML file in the custom-vars folder configured as per your environment:

  • vars.policysync.snowflake.yml
  • vars.policysync.postgres.yml
  • vars.policysync.mssql.yml
  • vars.policysync.redshift.yml
  • vars.policysync.databricks.sql.analytics.yml
  • vars.policysync.bigquery.yml
  • vars.policysync.powerbi.yml
Property Description Values Default Value
POLICYSYNC_IMAGE_NAME Mention the PolicySync image name.
POLICYSYNC_IMAGE_TAG Mention the PolicySync image tag.
POLICYSYNC_ENABLE Enable PolicySync. true/false false

Common#

Property Description Values Default Value

POLICYSYNC_USERLOADER_RANGER_PERSIST_CASE_SENSITIVITY

After loading user/group/roles from Apache Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

true/false

false

DEPLOYMENT_SIZE

This property specifies the size of the PolicySync deployment. SMALL, MEDIUM or LARGE

SMALL

Memory Variables
POLICYSYNC_HEAP_MIN_MEMORY_MB Minimum Java Heap memory in MB used by PolicySync.
For example, POLICYSYNC_HEAP_MIN_MEMORY_MB: "1024"
Depends upon DEPLOYMENT_SIZE
If DEPLOYMENT_SIZE property value is MEDIUM then the memory is 8192
If DEPLOYMENT_SIZE property value is LARGE then the memory is 32768
POLICYSYNC_HEAP_MIN_MEMORY Minimum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MIN_MEMORY_MB.
For example, POLICYSYNC_HEAP_MIN_MEMORY: "1g"
POLICYSYNC_HEAP_MIN_MEMORY_MB
POLICYSYNC_HEAP_MAX_MEMORY_MB Maximum Java Heap memory in MB used by PolicySync.
For example, POLICYSYNC_HEAP_MAX_MEMORY_MB: "1024"
Depends upon DEPLOYMENT_SIZE
If DEPLOYMENT_SIZE property value is SMALL then the memory is 2048
If DEPLOYMENT_SIZE property value is MEDIUM then the memory is 8192
If DEPLOYMENT_SIZE property value is LARGE then the memory is 32768
POLICYSYNC_HEAP_MAX_MEMORY Maximum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MAX_MEMORY_MB. For example, POLICYSYNC_HEAP_MAX_MEMORY: "1g"
POLICYSYNC_K8S_MEM_REQUESTS_MB Minimum amount of Kubernetes memory in MB to be requested by PolicySync.
For example, POLICYSYNC_K8S_MEM_REQUESTS_MB: "1024"
POLICYSYNC_K8S_MEM_REQUESTS Minimum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_REQUESTS_MB.
For example, POLICYSYNC_K8S_MEM_REQUESTS: "1G"
POLICYSYNC_K8S_MEM_LIMITS_MB Maximum amount of Kubernetes memory in MB to be requested by PolicySync.
For example, POLICYSYNC_K8S_MEM_LIMITS_MB: "1024"
POLICYSYNC_K8S_MEM_LIMITS Maximum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_LIMITS_MB. For example, POLICYSYNC_K8S_MEM_LIMITS: "1G" POLICYSYNC_K8S_MEM_LIMITS_MB
POLICYSYNC_CPU_MIN Minimum amount of Kubernetes CPU to be requested by PolicySync.
For example, POLICYSYNC_CPU_MIN: "0.5"
Depends upon DEPLOYMENT_SIZE
If DEPLOYMENT_SIZE property value is MEDIUM then the CPU required is 4
If DEPLOYMENT_SIZE property value is LARGE then the CPU required is 8
POLICYSYNC_CPU_MAX Maximum amount of Kubernetes CPU to be used by PolicySync.
For example, POLICYSYNC_CPU_MAX: "0.5"
Depends upon DEPLOYMENT_SIZE
If DEPLOYMENT_SIZE property value is SMALL then the CPU required is 2
If DEPLOYMENT_SIZE property value is MEDIUM then the CPU required is 4
If DEPLOYMENT_SIZE property value is LARGE then the CPU required is 8

Connectors Global Properties#

Snowflake Connector#

Property Description Default Value Example
JDBC_MAX_POOL_SIZE This property specifies the maximum size of the JDBC connection pool that PolicySync can use. 15
JDBC_MIN_IDLE_CONNECTION This property specifies the minimum size of the JDBC connection pool that PolicySync can use. 3
JDBC_LEAK_DETECTION_THRESHOLD This property specifies how long a connection can be out of the pool (in milliseconds) before a message indicating a possible connection leak is logged.
A value of 0 indicates that leak detection is disabled.
900000L
SNOWFLAKE_IGNORE_WAREHOUSE_LIST This property is used to specify comma-separated warehouse names for access controls that you do not want PolicySync to manage.
If you do not want to ignore any warehouse, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the manage database list option.
"" testdb1warehouse,testdb2warehouse,sales_dbwarehouse*
SNOWFLAKE_IGNORE_DATABASE_LIST This property is used to specify comma-separated database names for access controls that you do not want PolicySync to manage.
If you do not want to ignore any databases, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the manage database list option.
"" testdb1, testdb2, sales_db*
SNOWFLAKE_IGNORE_SCHEMA_LIST This property is used to specify comma-separated schema FQDN for access controls that you do not want PolicySync to manage.
If you do not want to ignore any schema, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the manage database list option.
"" testdb1.schema1,testdb2.schema2,sales_db*.sales*
SNOWFLAKE_IGNORE_TABLE_LIST This property is used to specify comma-separated table/view FQDN for access controls that you do not want PolicySync to manage.
If you do not want to ignore any table/view, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the manage database list option.
"" testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*

SNOWFLAKE_CREATE_USER

This property determines whether PolicySync should create users in Snowflake for users retrieved from the portal. true true/false
SNOWFLAKE_CREATE_USER_ROLE This property determines whether PolicySync should create a role over the end user in Snowflake for users retrieved from the portal. true, false true
SNOWFLAKE_USER_LOGIN_NAME_USE_EMAIL This property specifies whether the email address should be used as the login name when creating a new user in Snowflake. false true/false
SNOWFLAKE_USER_ROLE_PREFIX This property is used to set a prefix for the ranger user role that we will be creating in Snowflake.
For example, if you have a user named john in Apache Ranger and have set the prefix to test_user_, the role we create for john in Snowflake will be test_user_john.
{{ SNOWFLAKE_ENTITY_ROLE_PREFIX }}user_  
SNOWFLAKE_GROUP_ROLE_PREFIX This property is used to set a role prefix for the group from ranger that we will be creating in Snowflake.
For example, if you have a ranger group named dev with the prefix test_group_, the role we create for dev in Snowflake will be test_group_dev.
{{ SNOWFLAKE_ENTITY_ROLE_PREFIX }}group_  
SNOWFLAKE_ROLE_ROLE_PREFIX This property is used to set a prefix for the role from ranger that we will be creating in Snowflake.
For example, if you have a ranger role named finance with the prefix test_role_, the role we create for finance in Snowflake will be test_role_finance.
{{ SNOWFLAKE_ENTITY_ROLE_PREFIX }}role_  
POLICYSYNC_V2_MANAGE_ENTITIES This property determines whether PolicySync should manage user, group and role. true  
SNOWFLAKE_MANAGE_USERS This property determines whether PolicySync should manage the user and user role membership. true  
SNOWFLAKE_MANAGE_ROLES This property determines whether PolicySync should create role in snowflake for roles fetched from ranger. true  

SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in SNOWFLAKE_USER_NAME_REPLACE_TO_STRING property.

If the field is left blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

 

SNOWFLAKE_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX property.

If the field is left blank, no find and replace operation is performed.

_

 

SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING property.

If the field is left blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

 

SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX property.

If the field is left blank, no find and replace operation is performed.

_

 

SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING property.

If the field is left blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

 

SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property.

If the field is left blank, no find and replace operation is performed.

_

 

SNOWFLAKE_USER_NAME_PERSIST_CASE_SENSITIVITY After loading users from Apache Ranger APIs, they are all converted to lowercase, but in some cases, you would need to have the users must be in the same case as they are in Apache Ranger.
When this value is set to true, the case sensitivity of names in Apache Ranger is preserved.
false true/false
SNOWFLAKE_GROUP_NAME_PERSIST_CASE_SENSITIVITY After loading groups from Apache Ranger APIs, they are all converted to lowercase, but in some cases, you would need to have the users must be in the same case as they are in Apache Ranger.
When this value is set to true, the case sensitivity of names in Apache Ranger is preserved.
false true/false
SNOWFLAKE_ROLE_NAME_PERSIST_CASE_SENSITIVITY After loading roles from Apache Ranger APIs, they are all converted to lowercase, but in some cases, you would need to have the users must be in the same case as they are in Apache Ranger.
When this value is set to true, the case sensitivity of names in Apache Ranger is preserved.
false true/false
SNOWFLAKE_USER_FILTER_WITH_EMAIL Set this property to true if you want to manage only users who have an email field that is not blank. false true/false
SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE Set this property to true if you only want to manage users who have the roles defined in the SNOWFLAKE_MANAGE_ROLE_LIST property. true true/false
SNOWFLAKE_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt.

2
SNOWFLAKE_ENABLE_PRIVILEGES_BATCHING Set this property to true if you want PolicySync to send grant or revoke statements to the target database in batches.
Set this property to false to have PolicySync issue the grant or revoke statements one at a time.
false true/false
SNOWFLAKE_AUDIT_ENABLE_RESOURCE_FILTER Set this property to true to enable filtering by resource on Access audits, based on resources managed by PolicySync.
Set this property to false to disable Access audit filtering by PolicySync.
true true/false
SNOWFLAKE_USER_ROLE_USE_UPPERCASE Set this property to true if you want to treat user role as uppercase in PolicySync.
false true/false
SNOWFLAKE_GROUP_ROLE_USE_UPPERCASE Set this property to true if you want to treat a group as uppercase in PolicySync.
false true/false
SNOWFLAKE_ROLE_ROLE_USE_UPPERCASE Set this property to true if you want to treat a role as uppercase in PolicySync.
false true/false
SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION This property controls whether an access denied exception is displayed when a user does not have access to a table column and attempts to access that column.
To set this property value to true, you must also set the SNOWFLAKE_ENABLE_MASKING property value to false.
true true/false
SNOWFLAKE_ENABLE_MASKING This property determines whether the native masking policy creation functionality is enabled in PolicySync. 1  
SNOWFLAKE_MASKING_POLICY_DB_NAME This property specifies the name of the database where PolicySync should create custom masking policies. ""  
SNOWFLAKE_MASKING_POLICY_SCHEMA_NAME This property is used to specify the name of the schema in which PolicySync should create all native masking policies.
If left blank, the resource schema will be used as the masking policy schema.
PUBLIC  
SNOWFLAKE_MASKING_POLICY_NAME_TEMPLATE This property is used to create a template for creating native masking policy names.
For example, the row filter policy name for the table customer_data from customer_schema in customer_db will be something like customer_db_priv customer_schema_priv_customer_data_{column}.
{database}{separator}{schema}{separator}{table}
SNOWFLAKE_ENABLE_VIEW_BASED_ROW_FILTER Set this property to true to enable secure view-based row filtering in Snowflake PolicySync.
Note: Although Snowflake supports native row filters, we recommend using a view-based row filter due to some limitations.
false
SNOWFLAKE_ENABLE_VIEW_BASED_MASKING Set this property to true to enable secure view based masking in Snowflake PolicySync.
Note: Snowflake does not support native masking, so view-based masking is recommended.
false
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME

By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property, if you want to keep these secure views in a separate schema by providing schema name in this property.

SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_PREFIX

SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in the following format:
{prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME

""
SNOWFLAKE_SECURE_VIEW_NAME_PREFIX
SNOWFLAKE_SECURE_VIEW_NAME_POSTFIX
By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure.
If you want to change the secure view name prefix and postfix, that can be done with these properties.
After prefix and postfix is specified, the view name will be in the following format:
{prefix}{table_name}{postfix}
_secure
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name.
For example, if the schema is some_name_schema, you can remove the suffix _schema. Your secure schema name will then be {schema_prefix}some_schema{schema_postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

""
SNOWFLAKE_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name.
For example, if the table name is some_name_table, you can remove the suffix _table. Your secure name will then be {prefix}some_name{postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

""
SNOWFLAKE_SECURE_VIEW_CREATE_FOR_ALL Set this property to true if you want to create secure views for all tables and views created by end users.
This will create a secure view for the resource regardless of whether a masking/row filter policy exists in Apache Ranger.
false
SNOWFLAKE_POLICY_NAME_SEPARATOR This property is used to set the separator, which is used when creating the name for the native row filter/masking policy. _PRIV_
SNOWFLAKE_MASKED_NUMBER_VALUE This property is used to set the value of the masked column of datatype number. 0
SNOWFLAKE_MASKED_DOUBLE_VALUE This property is used to set the value of the masked column of datatype double. 0
POLICYSYNC_V2_MASKED_DATE_VALUE This property is used to set the value of the masked column of datatype date. null  
SNOWFLAKE_MASKED_TEXT_VALUE This property is used to set the value of the masked column of datatype text. <MASKED>  
SNOWFLAKE_PEG_FUNCTION_DB This property is used to specify the database name to which PolicySync can refer when performing PEG protect/unprotect functions. SNOWFLAKE_JDBC_DB  
SNOWFLAKE_PEG_FUNCTION_SCHEMA This property is used to specify the schema name to which PolicySync can refer when calling PEG protect/unprotect functions. public  
SNOWFLAKE_AUDIT_INITIAL_PULL_MINUTES This property specifies the time at which the audit will begin its initial pull. 30  
POLICYSYNC_V2_AUDIT_INITIAL_PULL_MINUTES This property specifies the time at which the audit will begin its initial pull. 30  
SYNC_SERVICEUSER_INTERVAL_SEC This property specifies the time interval in seconds for the principal sync process. The process of loading the user/group/roles from Snowflake to check what all users/groups/roles created and membership between those, and then validating these with what is defined in Privacera UI, is known as principal sync.This process occurs at predetermined intervals of time. 60
SYNC_SERVICEPOLICY_INTERVAL_SEC This property is used to specify the time interval in seconds for existing policies to be synced. Existing policies sync is the process by which we load the permissions or policies that have already been synced to Snowflake, validate them against Apache Ranger policies, and if there is a difference, we trigger the necessary grants/revokes. This process occurs at predetermined intervals of time. 60  

Microsoft SQL Connector#

Property Description Default Value Example
MSSQL_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the MS SQL after checking whether any new resource has been created or any changes are made in the existing resource. 60
MSSQL_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for principal sync process. Principal sync is the process where the user/group/roles are loaded from the MS SQL after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal.
This process happens in defined interval time.
420
MSSQL_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to MS SQL, and then validates it with Apache Ranger policies. If any difference is found, then required grants/revokes are triggered.
This process happens in defined interval time.
540
MSSQL_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from MS SQL. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal.
This process happens in defined interval time.
30
MSSQL_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedence over manage database list. testdb1,testdb2,sales_db*
MSSQL_IGNORE_SCHEMA_LIST This property is used to set comma-separated database schemas FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedence over manage schema list. testdb1.schema1,testdb2.schema2,sales_db*.sales*
MSSQL_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedence over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*

MSSQL_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the MSSQL_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

MSSQL_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the MSSQL_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

MSSQL_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the MSSQL_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

MSSQL_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

MSSQL_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the MSSQL_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

MSSQL_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

MSSQL_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Apache Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
MSSQL_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Apache Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
MSSQL_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Apache Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
MSSQL_USER_FILTER_WITH_EMAIL Set this property to true if you only want to manage users who have an email address associated with them in the portal.   true/false
MSSQL_MANAGE_USERS This property determines whether PolicySync should manage the user and user role membership. false
MSSQL_MANAGE_ROLES This property determines whether PolicySync should create role in snowflake for roles fetched from ranger. false  
MSSQL_USER_ROLE_PREFIX This property is used to set a prefix for the ranger user role that we will be creating in MS SQL.
For example, if you have a user named john in Apache Ranger and have set the prefix to test_user_, the role we create for john in MS SQL will be test_user_john.
priv_user_  
MSSQL_GROUP_ROLE_PREFIX This property is used to set a role prefix for the group from ranger that we will be creating in MS SQL.
For example, if you have a ranger group named dev with the prefix test_group_, the role we create for dev in MS SQL will be test_group_dev.
priv_group_  
MSSQL_ROLE_ROLE_PREFIX This property is used to set a prefix for the role from ranger that we will be creating in MS SQL.
For example, if you have a ranger role named finance with the prefix test_role_, the role we create for finance in MS SQL will be test_role_finance.
priv_role_  
MSSQL_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST property only if they are associated with any role specified in MSSQL_MANAGE_ROLE_LIST false true/false
MSSQL_ENABLE_VIEW_BASED_ROW_FILTER Set this property to true, if you want to enable secure view based row filter in MS SQL PolicySync. Note: MS SQL support native row filters, but due to its some limitations we recommended to use view based row filter. true
MSSQL_SECURE_VIEW_CREATE_FOR_ALL Set this property to true, if you want to create secure view for all tables as well all view which were created by end users. This will create secure view for resource regardless wether there any masking/row filter policy exists in ranger. true
MSSQL_MASKED_NUMBER_VALUE This property is used to specify the default masking value for numeric columns. 0
MSSQL_MASKED_TEXT_VALUE This property is used to specify the default masking value for text/string columns. <MASKED>
MSSQL_MASKED_DATE_VALUE This property specifies the default masking value for date type columns. null  
MSSQL_SECURE_VIEW_NAME_PREFIX
MSSQL_SECURE_VIEW_NAME_POSTFIX
By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure.
If you want to change the secure view name prefix and postfix, that can be done with these properties.
After prefix and postfix is specified, the view name will be in the following format:
{prefix}{table_name}{postfix}
For postfix:
_secure

MSSQL_SECURE_VIEW_SCHEMA_NAME_PREFIX

MSSQL_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in the following format:
{prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable MSSQL_SECURE_VIEW_SCHEMA_NAME

MSSQL_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name.
For example, if the table name is some_name_table, you can remove the suffix _table. Your secure name will then be {prefix}some_name{postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

MSSQL_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name.
For example, if the schema is some_name_schema, you can remove the suffix _schema. Your secure schema name will then be {schema_prefix}some_schema{schema_postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

MSSQL_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt.

2
MSSQL_AUDIT_INITIAL_PULL_MINUTES The initial pull time for audits is set to 30 minutes by default, but this can be changed. 30  
MSSQL_USER_LOAD_KEY This property specifies which method will be used to load users from MS SQL. load  

PostgreSQL Connector#

Property Description Default Value Example
POSTGRES_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from PostgreSQL.

  • load_md - It loads resources from PostgreSQL using a top-down resource approach, for example it loads the database first, then the schemas within it, and then the tables and their columns. This mode is only for development purposes.
  • load_from_database_columns - It loads resources one by one by resource type, for example, it loads all databases first, then all schemas in all databases, then all tables in all databases and their columns. This mode is recommended for general use because it is much faster than load mode.
load_from_database_columns
POSTGRES_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the PostgreSQL after checking whether any new resource has been created or any changes are made in the existing resource. 60
POSTGRES_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for principal sync process. Principal sync is the process where the user/group/roles are loaded from the PostgreSQL after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal.
This process happens in defined interval time.
420
POSTGRES_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to PostgreSQL, and then validates it with Apache Ranger policies. If any difference is found, then required grants/revokes are triggered.
This process happens in defined interval time.
540
POSTGRES_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from PostgreSQL. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal.
This process happens in defined interval time.
30
POSTGRES_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedence over manage database list. testdb1,testdb2,sales_db*
POSTGRES_IGNORE_SCHEMA_LIST This property is used to set comma-separated database schemas FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedence over manage schema list. testdb1.schema1,testdb2.schema2,sales_db*.sales*
POSTGRES_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedence over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*

POSTGRES_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the POSTGRES_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POSTGRES_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the POSTGRES_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the POSTGRES_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POSTGRES_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the POSTGRES_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POSTGRES_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

POSTGRES_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Apache Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
POSTGRES_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Apache Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
POSTGRES_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Apache Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
POSTGRES_CREATE_USER Use this property to create users in PostgreSQL when they are retrieved from Apache Ranger. true
POSTGRES_CREATE_USER_ROLE Use this property to create user role in PostgreSQL when they are retrieved from Apache Ranger. true
POSTGRES_MANAGE_USERS Use this property to manage the membership between user and user role. true
POSTGRES_MANAGE_ROLES Use this property to create roles in PostgreSQL when they are retrieved from Apache Ranger. true
POSTGRES_USER_ROLE_PREFIX This property is used to set a prefix for the ranger user role that we will be creating in PostgreSQL.
For example, if you have a user named john in Apache Ranger and have set the prefix to test_user_, the role we create for john in PostgreSQL will be test_user_john.
priv_user_  
POSTGRES_GROUP_ROLE_PREFIX This property is used to set a role prefix for the group from ranger that we will be creating in PostgreSQL.
For example, if you have a ranger group named dev with the prefix test_group_, the role we create for dev in PostgreSQL will be test_group_dev.
priv_group_  
POSTGRES_ROLE_ROLE_PREFIX This property is used to set a prefix for the role from ranger that we will be creating in PostgreSQL.
For example, if you have a ranger role named finance with the prefix test_role_, the role we create for finance in PostgreSQL will be test_role_finance.
priv_role_  
POSTGRES_USE_NATIVE_PUBLIC_GROUP Set this property to true if you want PolicySync to use the PostgreSQL native public group for access grants whenever a policy is created that refers to a public group. true true/false
POSTGRES_MANAGE_USER_FILTERBY_ROLE Set this property to true if you want to manage only users who belong to the roles defined in the POSTGRES_MANAGE_ROLE_LIST property. false true/false
POSTGRES_POLICY_NAME_SEPARATOR This property is used to set the separator, which is used when creating the name for the native row filter/masking policy. _PRIV_
POSTGRES_ROW_FILTER_POLICY_NAME_TEMPLATE This property is used to create a template for creating native row filter policy names. For example, the table customer_data from customer_schema which resides in customer_db, for that the row filter policy name will look like something below customer_db_priv_customer_schema_priv_customer_data_{row_filter_item_number} {database}{separator}{schema}{separator}{table}
POSTGRES_ENABLE_VIEW_BASED_ROW_FILTER Set this property to true, if you want to enable secure view based row filter in PostgreSQL PolicySync. Note: PostgreSQL support native row filters, but due to its some limitations we recommended to use view based row filter. true
POSTGRES_SECURE_VIEW_CREATE_FOR_ALL Set this property to true, if you want to create secure view for all tables as well all view which were created by end users. This will create secure view for resource regardless wether there any masking/row filter policy exists in ranger. true
POSTGRES_MASKED_NUMBER_VALUE This property is used to specify the default masking value for numeric columns. 0
POSTGRES_MASKED_TEXT_VALUE This property is used to specify the default masking value for text/string columns. <MASKED>
POSTGRES_SECURE_VIEW_NAME_PREFIX
POSTGRES_SECURE_VIEW_NAME_POSTFIX
By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure.
If you want to change the secure view name prefix and postfix, that can be done with these properties.
After prefix and postfix is specified, the view name will be in the following format:
{prefix}{table_name}{postfix}
For postfix:
_secure

POSTGRES_SECURE_VIEW_SCHEMA_NAME_PREFIX

POSTGRES_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in the following format:
{prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable POSTGRES_SECURE_VIEW_SCHEMA_NAME

POSTGRES_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name.
For example, if the table name is some_name_table, you can remove the suffix _table. Your secure name will then be {prefix}some_name{postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

POSTGRES_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name.
For example, if the schema is some_name_schema, you can remove the suffix _schema. Your secure schema name will then be {schema_prefix}some_schema{schema_postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

POSTGRES_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt.

2
POSTGRES_ENABLE_DATA_ADMIN

This property enables the data admin feature. When the data admin feature is enabled, you can create all policies on a table/native view, and by default, respective grants are made on the secure view of a table or native view. As a result, this secure view will support row filtering and masking. If you require table permission, you can select the permission you require and data admin in the policy. In this case, the permission will be granted on both the table/native view and its secure view.

true true/false
POSTGRES_ENABLE_MIGRATION This property can be used to enable some of the migration operations that PolicySync will perform when migrating from V1 to V2 PostgreSQL PolicySync.
It primarily consists of cleaning up native row filter policies created by v1 because v2 will be creating them again with its own naming format. .
true
POSTGRES_AUDIT_EXCLUDED_USERS This property is used to set the list of users whose access audits you want to ignore.
Set a list of comma-separated users.
POSTGRES_JDBC_USERNAME
POSTGRES_AUDIT_SOURCE This property is used to set the mode through which we should be loading access audits, access audits for AWS RDS PostgreSQL only supports SQS mode; SQS mode retrieves audits from SQS queue. SQS
POSTGRES_AWS_ACCESS_KEY This property is used to specify the AWS Access Key that will be used to create an IAM client that will access the SQS queue to obtain access audits.
This should only be used if your deployment machine does not have an IAM role assigned to it with the necessary permissions.
POSTGRES_AWS_SECRET_KEY This property is used to specify the AWS Secret Key that will be used to create an IAM client that will access the SQS queue to obtain access audits.
This should only be used if your deployment machine does not have an IAM role assigned to it with the necessary permissions.
POSTGRES_AWS_REGION This property is used to specify the AWS region in which the SQS queue is located. us-east-1
POSTGRES_AWS_SQS_QUEUE_ENDPOINT This property is used to specify the SQS endpoint URL. It must be specified if you use a private VPC in your AWS account that does not have internet access.
POSTGRES_AWS_SQS_QUEUE_NAME This property is used to set AWS SQS queue name from which we need to get access audits.
POSTGRES_AWS_SQS_QUEUE_MAX_POLL_MESSAGES This property specifies the number of messages that should be retrieved from the SQS queue at the same time and processed for auditing purposes. 100

Redshift Connector#

Property Description Default Value Example
REDSHIFT_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from Redshift.

  • load_md - It loads resources from Redshift using a top-down resource approach, for example it loads the database first, then the schemas within it, and then the tables and their columns. This mode is only for development purposes.
  • load_from_account_columns - It loads resources one by one by resource type, for example, it loads all databases first, then all schemas in all databases, then all tables in all databases and their columns. This mode is recommended for general use because it is much faster than load mode.
load_from_database_columns
REDSHIFT_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Redshift after checking whether any new resource has been created or any changes are made in the existing resource. 60
REDSHIFT_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for principal sync process. Principal sync is the process where the user/group/roles are loaded from the Redshift after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal.
This process happens in defined interval time.
420
REDSHIFT_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Redshift, and then validates it with Apache Ranger policies. If any difference is found, then required grants/revokes are triggered.
This process happens in defined interval time.
540
REDSHIFT_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Redshift. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal.
This process happens in defined interval time.
30
REDSHIFT_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedence over manage database list. testdb1,testdb2,sales_db*
REDSHIFT_IGNORE_SCHEMA_LIST This property is used to set comma-separated database schemas FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedence over manage schema list. testdb1.schema1,testdb2.schema2,sales_db*.sales*
REDSHIFT_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedence over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*

REDSHIFT_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the REDSHIFT_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

REDSHIFT_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the REDSHIFT_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the REDSHIFT_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

REDSHIFT_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the REDSHIFT_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

REDSHIFT_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Apache Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

Note: Setting any of the REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER,REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY, REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY or REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY property to true will apply the case sensitivity to users, groups, roles and resources in Redshift. Redshift does not support case sensivity for a specific user, group, role or resource. It uses enable_case_sensitive_identifier for user / group principals and resources as a single property per session.

false true/false
REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Apache Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

Note: Setting any of the REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER, REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY, REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY or REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY property to true will apply the case sensitivity to users, groups, roles and resources in Redshift. Redshift does not support case sensivity for a specific user, group, role or resource. It uses enable_case_sensitive_identifier for user / group principals and resources as a single property per session.

false true/false
REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Apache Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

Note: Setting any of the REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER, REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY, REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY or REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY property to true will apply the case sensitivity to users, groups, roles and resources in Redshift. Redshift does not support case sensivity for a specific user, group, role or resource. It uses enable_case_sensitive_identifier for user / group principals and resources as a single property per session.

false true/false
REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER

By default, Redshift converts all resources to lower case in order to preserve the case we have a property to set on each and every connection. If you want the same, mark this value as true.

Note: Setting any of the REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER, REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY, REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY or REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY property to true will apply the case sensitivity to users, groups, roles and resources in Redshift. Redshift does not support case sensivity for a specific user, group, role or resource. It uses enable_case_sensitive_identifier for user / group principals and resources as a single property per session.

false  
REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER_QUERY If REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER is set to true, the query will be executed first in each connection. SET enable_case_sensitive_identifier=true;  
REDSHIFT_CREATE_USER Use this property to create users in Redshift when they are retrieved from Apache Ranger. true true/false
REDSHIFT_CREATE_USER_ROLE Use this property to create user role in Redshift when they are retrieved from Apache Ranger. true true/false
REDSHIFT_MANAGE_USERS Use this property to manage the membership between user and user role. true true/false
REDSHIFT_MANAGE_GROUPS Use this property to create roles in Redshift when groups are retrieved from Apache Ranger. true true/false
REDSHIFT_MANAGE_ROLES Use this property to create roles in Redshift when they are retrieved from Apache Ranger. true true/false
REDSHIFT_USER_ROLE_PREFIX This property is used to set a prefix for the ranger user role that we will be creating in Redshift.
For example, if you have a user named john in Apache Ranger and have set the prefix to test_user_, the role we create for john in Redshift will be test_user_john.
priv_user_  
REDSHIFT_GROUP_ROLE_PREFIX This property is used to set a role prefix for the group from ranger that we will be creating in Redshift.
For example, if you have a ranger group named dev with the prefix test_group_, the role we create for dev in Redshift will be test_group_dev.
priv_group_  
REDSHIFT_ROLE_ROLE_PREFIX This property is used to set a prefix for the role from ranger that we will be creating in Redshift.
For example, if you have a ranger role named finance with the prefix test_role_, the role we create for finance in Redshift will be test_role_finance.
priv_role_  
REDSHIFT_USE_NATIVE_PUBLIC_GROUP Set this property to true if you want PolicySync to use the Redshift native public group for access grants whenever a policy is created that refers to a public group. true true/false
REDSHIFT_MANAGE_USER_FILTERBY_GROUP Set this property to true if you want to manage only users who belong to the groups specified in the REDSHIFT_MANAGE_GROUP_LIST property. false true/false
REDSHIFT_MANAGE_USER_FILTERBY_ROLE Set this property to true if you want to manage only users who belong to the roles defined in the REDSHIFT_MANAGE_ROLE_LIST property. false true/false
REDSHIFT_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view-based masking in Redshift PolicySync.

Note:- Redshift does not support native masking. It is recommended to use view-based masking.

true true/false
REDSHIFT_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view-based row filter in Redshift PolicySync.

Note:- Redshift supports native row filters, but due to some limitations, it is recommended to use view-based row filter.

true true/false
REDSHIFT_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Apache Ranger.

true true/false
REDSHIFT_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns.

0
REDSHIFT_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns.

'<MASKED>'
REDSHIFT_SECURE_VIEW_NAME_PREFIX
REDSHIFT_SECURE_VIEW_NAME_POSTFIX
By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure.
If you want to change the secure view name prefix and postfix, that can be done with these properties.
After prefix and postfix is specified, the view name will be in the following format:
{prefix}{table_name}{postfix}
For postfix:
_secure

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in the following format:
{prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable REDSHIFT_SECURE_VIEW_SCHEMA_NAME

REDSHIFT_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name.
For example, if the table name is some_name_table, you can remove the suffix _table. Your secure name will then be {prefix}some_name{postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name.
For example, if the schema is some_name_schema, you can remove the suffix _schema. Your secure schema name will then be {schema_prefix}some_schema{schema_postfix}

Enter a suffix string or a comma-separated list of suffix strings. 

REDSHIFT_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt.

2
REDSHIFT_ENABLE_DATA_ADMIN

This property enables the data admin feature. When the data admin feature is enabled, you can create all policies on a table/native view, and by default, respective grants are made on the secure view of a table or native view. As a result, this secure view will support row filtering and masking. If you require table permission, you can select the permission you require and data admin in the policy. In this case, the permission will be granted on both the table/native view and its secure view.

true true/false
REDSHIFT_AUDIT_EXCLUDED_USERS

This property is used to set the list of users whose access audits you want to ignore.
Set a list of comma-separated users.

REDSHIFT_JDBC_USERNAME
REDSHIFT_AUDIT_INITIAL_PULL_MINUTES

When the audits are enabled for the first time, the value will decide the number of minutes you need to pull the access audits from the database, default value is 30 mins.

30

Databricks SQL#

Property Description Default Value Example
DATABRICKS_SQL_ANALYTICS_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from Databricks SQL. It should be not be changed - Databricks only supports the value load as a method for loading resources.
load - It loads resources from Databricks SQL endpoint with top-down resources approach, that is, it first loads the database and then schemas, tables and columns successively.
load_like
DATABRICKS_SQL_ANALYTICS_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Databricks SQL after checking whether any new resource has been created or any changes are made in the existing resource. 60
DATABRICKS_SQL_ANALYTICS_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for principal sync process. Principal sync is the process where the user/group/roles are loaded from the Databricks SQL after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal.
This process happens in defined interval time.
420
DATABRICKS_SQL_ANALYTICS_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Databricks SQL, and then validates it with Apache Ranger policies. If any difference is found, then required grants/revokes are triggered.
This process happens in defined interval time.
540
DATABRICKS_SQL_ANALYTICS_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Databricks SQL. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal.
This process happens in defined interval time.
30
DATABRICKS_SQL_ANALYTICS_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*
DATABRICKS_SQL_ANALYTICS_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedence over manage database list. testdb1,testdb2,sales_db*
DATABRICKS_SQL_ANALYTICS_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view FQDN on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedence over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*

DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Apache Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Apache Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Apache Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
DATABRICKS_SQL_ANALYTICS_CREATE_USER This property determines whether PolicySync should create a user in the Databricks SQL endpoint when users are retrieved from Apache Ranger. false true/false
DATABRICKS_SQL_ANALYTICS_MANAGE_USERS This property determines whether PolicySync should manage a user in the Databricks SQL endpoint when users are retrieved from Apache Ranger. false
DATABRICKS_SQL_ANALYTICS_CREATE_ROLE This property determines whether PolicySync should manage a role in the Databricks SQL endpoint when roles are retrieved from Apache Ranger. false true/false
DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX This propery is used to set a role prefix for groups in Databricks SQL when they are retrieved from Apache Ranger.
For example, if dev is a group in Apache Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Databricks SQL.
priv_group_  
DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX This propery is used to set a role prefix for roles in Databricks SQL when they are retrieved from Apache Ranger.
For example, if finance is a role in Apache Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Databricks SQL.
priv_role_  
DATABRICKS_SQL_ANALYTICS_USE_NATIVE_PUBLIC_GROUP Set this property to true if you want PolicySync to use the "public" group in Databricks SQL for access grants whenever a policy with a reference to the public group is created. true true/false
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST property only if they are associated with any role specified in DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST false true/false
DATABRICKS_SQL_ANALYTICS_USER_USE_EMAIL_AS_SERVICE_NAME This Property is used to map the username to the email address when granting/revoking access. true true/false
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Apache Ranger.

true true/false
DATABRICKS_SQL_ANALYTICS_MASKED_NUMBER_VALUE This property is used to set the value of the masked column of datatype number. 0  
DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE This property is used to set the value of the masked column of datatype text. <MASKED>  
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_POSTFIX

By default, view-based row filtering and masking related secure views have the same name as the table name, prefixed with _secure. These properties allow you to change the prefix and postfix of the secure view name.
The view name will be in the following format after the prefix and postfix are specified: {prefix}{table name}{postfix}

For postfix:
_secure
 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_PREFIX

By default, view-based row filter and masking related secure views have the same name as the table database name. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{view_database_name}{postfix}

 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same name as the table database name. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{view_database_name}{postfix}

_secure
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. and then your secure name will be {prefix}some_name{postfix} Enter a suffix string or a comma-separated list of suffix strings.

 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema is some_name_schema, you can remove the suffix, _schema. and then your secure schema name will be {schema_prefix}some_schema{schema_postfix} Enter a suffix string or a comma-separated list of suffix strings.

 
DATABRICKS_SQL_ANALYTICS_ENABLE_DATA_ADMIN

This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well.

true true/false
DATABRICKS_SQL_ANALYTICS_AUDIT_ENABLE

This property is used to enable retrieving access audits from Databricks SQL.

true true/false
DATABRICKS_SQL_ANALYTICS_AUDIT_INITIAL_PULL_MINUTES

When the audits are enabled for the first time, the value will decide the number of minutes you need to pull the access audits from the database, default value is 30 mins.

30
DATABRICKS_SQL_ANALYTICS_AUDIT_EXCLUDED_USERS This property is used to exclude users when pushing audit logs to ranger access audits. As there will be audits from the PolicySync application, it is recommended that this should be set as JDBC user name. {{DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME}}

Google BigQuery Connector#

Property Description Default Value Example
BIGQUERY_CREATE_CUSTOM_IAM_ROLES Set the property value to true if you want PolicySync to automatically create custom IAM roles in your GCP project or organization for Fine-Grained Access Control (FGAC).
If the value is set to false, then you have to create all custom IAM roles manually in your GCP project or organization.
true true/false
BIGQUERY_CUSTOM_IAM_ROLES_SCOPE Set the property value to either project or org.
BigQuery PolicySync used custom IAM roles to provide FGAC. These roles can be created at the individual project level IAM or at the organization IAM.
project - create/use custom IAM roles from each individual project level.
org - create/use custom IAM roles at the organizational level.

project

project
or
org
BIGQUERY_ORGANIZATION_ID If you decide to use custom IAM roles at the organization level, this property is used to set your GCP organization Id.
BIGQUERY_CUSTOM_IAM_ROLES_NAME_MAPPING

For FGAC, BigQuery PolicySync uses custom iam roles. These roles are created with some default Privacera defined names, but you can update those names using this property, and PolicySync will continue to use those customized role names.

It should be specified in syntax, such as: <PRIVACERA_DEFAULT_ROLE_NAME_1>:<CUSTOM_ROLE_NAME_1>,<PRIVACERA_DEFAULT_ROLE_NAME_2>:<CUSTOM_ROLE_NAME_2>

The following is a list of the default custom role names in Privacera:

  • PrivaceraGBQProjectListRole
  • PrivaceraGBQJobListRole
  • PrivaceraGBQJobListAllRole
  • PrivaceraGBQJobCreateRole
  • PrivaceraGBQJobGetRole
  • PrivaceraGBQJobUpdateRole
  • PrivaceraGBQJobDeleteRole
  • PrivaceraGBQDatasetCreateRole
  • PrivaceraGBQDatasetGetMetadataRole
  • PrivaceraGBQDatasetUpdateRole
  • PrivaceraGBQDatasetDeleteRole
  • PrivaceraGBQTableListRole
  • PrivaceraGBQTableCreateRole
  • PrivaceraGBQTableGetMetadataRole
  • PrivaceraGBQTableQueryRole
  • PrivaceraGBQTableExportRole
  • PrivaceraGBQTableUpdateMetadataRole
  • PrivaceraGBQTableUpdateRole
  • PrivaceraGBQTableSetCategoryRole
  • PrivaceraGBQTableDeleteRole
  • PrivaceraGBQTransferUpdateRole
  • PrivaceraGBQTransferGetRole

PrivaceraGBQProjectListRole:CustomBigQueryProjectListRole,PrivaceraGBQJobListRole:CustomBigQueryJobListRole
BIGQUERY_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from BigQuery.
  • load_md - It loads resources from BigQuery with a top-down resources approach, that is, it first loads the project and then the dataset followed by tables and its columns, This mode is only for development purposes.
  • load_from_database_columns - It loads resources one by one for each resource type that is, it loads all projects first, then it loads all datasets in all databases, followed by all tables in all datasets and its columns. This mode is recommended since it is faster than the load mode.
load_from_dataset_columns
BIGQUERY_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for the resource sync process. Resource sync is the process where we load the resources from BigQuery to check whether any new resource has been created or there is any change in the existing resource. This process happens in the defined interval time. 60
BIGQUERY_PRINCIPAL_SYNC_INTERVAL

This property is used to set the interval in seconds for principal sync process. Principal sync is the process where we load the user/group/roles from BigQuery to check which users/groups/roles are created and membership between them. This process happens in the defined interval time.

420
BIGQUERY_PERMISSION_SYNC_INTERVAL

This property is used to set the interval in seconds for syncing the existing policies sync. Existing policies are synced where we load the permissions or policies which are already synced to BigQuery, and then validate it with Apache Ranger policies. If differences are found, then required grants/revokes are triggered. This process happens in the defined interval time.

540
BIGQUERY_AUDIT_SYNC_INTERVAL

This property is used to set the interval in seconds for getting the access audits. Access audits are retrieved from the BigQuery and then pushed to Solr, so they can be displayed on Privacera Access Audit Page. This process happens in the defined interval time.

30
BIGQUERY_MANAGE_TABLE_LIST This property is used to set comma-separated table/view FQDN on which access control will be managed by PolicySync. If you want to manage all tables/views then keep the value blank. It supports wildcards. The ignore table list has precedence over manage table list. testproject1.dataset1.table1,testproject2.dataset2.view2,sales_project*.sales*.*
BIGQUERY_IGNORE_PROJECT_LIST

This property is used to set comma-separated project names which you do not want access control to be managed by PolicySync. If you don't want to ignore any project then keep the value blank. It supports wildcards. This has precedence over the managed project list.

testproject1,testproject2,sales_project*
BIGQUERY_IGNORE_DATASET_LIST

This property is used to set comma-separated dataset FQDN which access control you do not want to be managed by PolicySync. If you do not want to ignore any dataset then you can skip specifying this property. This supports wildcards as well. This has precedence over manage dataset list.

testproject1.dataset1,testproject2.dataset2,sales_project*.sales*
BIGQUERY_IGNORE_TABLE_LIST This property is used to set comma-separated table/view FQDN which access control you do not want to be managed by PolicySync. If you do not want to ignore any tables/views then you can skip specifying this property. This supports wildcards as well. This has precedence over manage table list. testproject1.dataset1.table1,testproject2.dataset2.view2,sales_project*.sales*.*
BIGQUERY_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
BIGQUERY_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in the BIGQUERY_USER_NAME_REPLACE_FROM_REGEX property. If kept blank, no find and replace operation is performed.

_
BIGQUERY_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
BIGQUERY_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in the BIGQUERY_GROUP_NAME_REPLACE_FROM_REGEX property. If kept blank, no find and replace operation is performed.

_
BIGQUERY_MANAGE_USER_LIST This property is used to set comma-separated user names on which access control will be managed by PolicySync. If you want to manage all users then keep the value blank. It supports wildcards. The ignore users list has precedence over manage users list. user1,user2,dev_user*
BIGQUERY_MANAGE_GROUP_LIST This property is used to set comma-separated group names on which access control will be managed by PolicySync. If you want to manage all group then keep the value blank. It supports wildcards. The ignore group list has precedence over manage group list. group1,group2,dev_group*
BIGQUERY_IGNORE_USER_LIST This property is used to set comma-separated user names on which you don't want access control to be managed by PolicySync. If you want to manage all the users then keep the value blank. It supports wildcards. This has precedence over manage users list. user1,user2,dev_user*
BIGQUERY_IGNORE_GROUP_LIST This property is used to set comma-separated group names on which you don't access control to be managed by PolicySync. If you want to manage all the groups then keep the value blank. It supports wildcards. This has precedence over manage groups list. group1,group2,dev_group*
BIGQUERY_MANAGE_USER_FILTERBY_GROUP Set this property to true, if you want to manage only the users who belong to the groups defined in BIGQUERY_MANAGE_GROUP_LIST property. false
BIGQUERY_COLUMN_ACCESS_CONTROL_TYPE Set this property to specify a way to handle column-level access control by PolicySync.
view - This supports view-based column level access control, which means that whatever columns users do not have access to that will appear as null in the secure view of the table or the secure view of the native view.
view view
BIGQUERY_POLICY_NAME_SEPARATOR

This property is used to set separator, which will be used while creating  a name for native row filter policy.

_
BIGQUERY_ROW_FILTER_POLICY_NAME_TEMPLATE

This property is used as a template to create native row filter policy names. For example, multiple native row filters added on the table will look like row_filter_item_1, row_filter_item_2, etc.

row_filter_item_
BIGQUERY_ENABLE_ROW_FILTER Set this property to true, if you want to enable native row filter functionality. This is not recommended, since the native row filters can only be created on tables, they can't be created on views. false
BIGQUERY_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view-based masking.

Note: BigQuery doesn't support native masking, so it is recommended to use view-based masking.

true
BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER Set this property to true, if you want to enable secure view based row filter inBigQueryPolicySync.

Note: BigQuery supports native row filters, but due to some limitations, it is recommended to use view based row filter.
true
BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create a secure view for all tables and all views created by users. This will create a secure view for resources regardless of whether there is any masking/row filter policy that exists in Apache Ranger.

true true/false
BIGQUERY_MASKING_FUNCTIONS_DATASET

This property is used to set the name of the dataset in the GCP project to create custom masking functions required by PolicySync.

privacera_dataset
BIGQUERY_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns.

0
BIGQUERY_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns.

'<MASKED>'
BIGQUERY_SECURE_VIEW_NAME_PREFIX

By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

BIGQUERY_SECURE_VIEW_NAME_POSTFIX

By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

BIGQUERY_SECURE_VIEW_DATASET_NAME_PREFIX

By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {refix}{view_schema_name}{postfix}

BIGQUERY_SECURE_VIEW_DATASET_NAME_POSTFIX

By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

_secure
BIGQUERY_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. and then your secure name will be {prefix}some_name{postfix}

Enter a suffix string or a comma-separated list of suffix strings.

BIGQUERY_SECURE_VIEW_DATASET_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema is some_name_schema, you can remove the suffix, _schema. and then your secure schema name will be {schema_prefix}some_schema{schema_postfix}

Enter a suffix string or a comma-separated list of suffix strings.

BIGQUERY_ENABLE_AUTHORIZED_VIEW_ACL_UPDATER

This property is used to enable asynchronized authorized view ACLs updater, it updates the dataset ACLs with authorized secure view names, This is done periodically by batching the requests for one or more views.

true true/false
BIGQUERY_AUTHORIZED_VIEW_ACL_UPDATER_INTERVAL

This property is used to set the interval at which the authorized view ACLs updater thread can update the permissions in the dataset if any permissions are pending to be applied.

10
BIGQUERY_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

This property is used to set max retry attempts to be made for granting or revoking the access if there is any failure due to database connection errors.

2
BIGQUERY_GRANT_UPDATES_BATCH

This property enables the batching of applying grants/revokes to the BigQuery. This improves overall performance when applying any permission changes on the BigQuery.

true true/false
BIGQUERY_ENABLE_DATA_ADMIN

This property is used to enable data admin feature. It allows you to create all the policies on table/native view. By default, respective grants will be made on secure view of table or native view. This secure view will have row filter and masking capability. If you need permissions on the table, then you can select the permissions you want along with the data admin in the policy. The permissions will be granted on both, the table/native view and its secure view.

true true/false
BIGQUERY_AUDIT_PROJECT_ID

This property is used to set the project ID. It will be used when running the query to retrieve the audits from BigQuery.

BIGQUERY_AUDIT_DATASET_NAME

This property is used to set the dataset name. It will be used when running the query to get the audits from BigQuery.

Power BI Connector#

Property Description Default Value Example
POWER_BI_AUDIT_INITIAL_PULL_MINUTES The initial pull time for audits is set to 30 minutes by default, but this can be changed. 30  
POWER_BI_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Power BI after checking whether any new resource has been created or any changes are made in the existing resource. 60
POWER_BI_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Power BI, and then validates it with Apache Ranger policies. If any difference is found, then required grants/revokes are triggered.
This process happens in defined interval time.
540
POWER_BI_AUDIT_SYNC_INTERVAL This property is used to specify the time interval in seconds for obtaining access audits.
The access audits process is the process by which we obtain access audits from the Power BI that tell us who has access to what, and then we push those audits to SOLR so that they can be displayed in the Privacera Access Audit UI Page.
This process occurs at predetermined intervals of time.
30

POWER_BI_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the POWER_BI_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POWER_BI_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the POWER_BI_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

POWER_BI_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the POWER_BI_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POWER_BI_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POWER_BI_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).
POWER_BI_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Apache Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
POWER_BI_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Apache Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Apache Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Apache Ranger.

false true/false
POWER_BI_IGNORE_GROUP_LIST This property is used to specify comma-separated group names for access controls that should not be managed by PolicySync.
If you do not want to ignore any groups, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the list of manage groups.
For example, group1,group2,dev_group*
group1,group2,dev_group*
POWER_BI_USER_FILTER_WITH_EMAIL Set this property to true if you want to manage only users who have an email field that is not blank. false true/false