Skip to main content

PrivaceraCloud Documentation

Table of Contents

Connect Databricks Unity Catalog to PrivaceraCloud

:

For background, see Quickstart for Databricks Unity Catalog on PrivaceraCloud.

Prerequisites

Before configuring the connection, at a minimum, have the following ready:

  • The value of the Databricks Unity Catalog URL to connect to.

  • The value of the Databricks personal access token.

  • Determine if your personal access token gives you administrative permissions in Databricks Unity Catalog. By default, PrivaceraCloud assumes that the token does not. If it does, you will need to set the field Enable if the personal access token has account admin privileges to true.

  • Look at the BASIC fields in the Field descriptions for Databricks Unity Catalog to see if there are other fields you might want to configure, such as catalog names or table names. You can always configure fields after making the initial connection.

Procedure

To connect your PrivaceraCloud account to Databricks Unity catalog, follow the steps in Connect an application. The name to connect to is Databricks Unity Catalog.

Field descriptions for Databricks Unity Catalog

These Databricks Unity Catalog connector fields can be set for PolicySync on PrivaceraCloud.

The fields are divided across two tabs.

  • Start by setting the fields on the BASIC tab, which are fields for authentication or features that are more rudimentary than ADVANCED.

  • Examine the features on the ADVANCED tab to determine which of them you might want to enable.

Category

Field

Description

Default Value

JDBC configuration properties

BASIC

Databricks Unity Catalog URL [BASIC-MANDATORY]

This is the Databricks URL for PolicySync to connect to. Example: https://dev-environment.cloud.databricks.com

BASIC

Databricks personal access token [BASIC-MANDATORY]

A personal access token used to connect to the Databricks api. This access token should come from an admin user who has access to the resources that PolicySync will manage. Example: dapi123456789...

BASIC

Enable if the personal access token has account admin privileges [BASIC-MANDATORY]

Toggle this on if the personal access token has account admin privileges. PolicySync will only be able to create and update users/groups in Unity Catalog if the personal access token has account admin privileges. If the token does not have account admin privileges, then PolicySync will not create or update users/groups in Unity Catalog. In this case, the users/groups should be created in Unity Catalog beforehand.

false

Resources management

BASIC

Catalogs to set access control policies for [BASIC]

Set list of catalog names which access control should be managed by Privacera. If you want to manage all catalogs then you can keep it blank.

ADVANCED

Schemas to set access control policies for [ADVANCED]

Set list of schema names which access control should be managed by Privacera. If you want to manage all schemas then you can keep it blank.

ADVANCED

Tables to set access control policies [ADVANCED]

Set list of tables Fqdn (Fully Qualified Domain Name) which access control should be managed by Privacera. If you want to manage all tables from managed schemas then you can keep it blank.

ADVANCED

User defined functions to set access control policies for [ADVANCED]

Set list of user defined function Fqdn (Fully Qualified Domain Name) which access control should be managed by Privacera. If you want to manage all functions from managed schemas then you can keep it blank.

BASIC

External locations to set access control policies for [BASIC]

Set list of external location names which access control should be managed by Privacera. If you want to manage all external locations then you can keep it blank.

BASIC

Storage credentials to set access control policies for [BASIC]

Set list of storage credential names which access control should be managed by Privacera. If you want to manage all storage credentials then you can keep it blank.

ADVANCED

Catalogs to ignore while setting access control policies [ADVANCED]

Set list of catalog names whose access control should not be managed by Privacera. This list has precedence over [Catalogs to set access control policies].

ADVANCED

Schemas to ignore while setting access control policies [ADVANCED]

Set list of schema names whose access control should not be managed by Privacera. This list has precedence over [Schemas to set access control policies].

ADVANCED

Tables to ignore while setting access control policies [ADVANCED]

Set list of table Fqdn (Fully Qualified Domain Name) whose access control should not be managed by Privacera. This list has precedence over [Tables to set access control policies].

ADVANCED

User defined functions to ignore while setting access control policies [ADVANCED]

Set list of user defined function Fqdn (Fully Qualified Domain Name) whose access control should not be managed by Privacera. This list has precedence over [Functions to set access control policies].

ADVANCED

External locations to ignore while setting access control policies [ADVANCED]

Set list of external location names whose access control should not be managed by Privacera. This list has precedence over [External locations to set access control policies].

ADVANCED

Storage credentials to ignore while setting access control policies [ADVANCED]

Set list of storage credential names whose access control should not be managed by Privacera. This list has precedence over [Storage credentials to set access control policies].

Users/Groups/Roles management

ADVANCED

Regex to find special characters in names [ADVANCED]

Regex that finds the matching characters in a user name and replaces them with the characters specified in [String to replace with the special characters found all names]

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

String to replace with the special characters found in names [ADVANCED]

String used to replace the characters found by the regex specified in [Regex to find special characters in all names]

_

ADVANCED

Regex to find special characters in user names [ADVANCED]

Regex that finds the matching characters in a user name and replaces them with the characters specified in [String to replace with the special characters found in user names]

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

String to replace with the special characters found in user names [ADVANCED]

String used to replace the characters found by the regex specified in [Regex to find special characters in user names]

_

ADVANCED

Regex to find special characters in group names [ADVANCED]

Regex that finds the matching characters in a group name and replaces them with the characters specified in [String to replace with the special characters found in group names]

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

String to replace with the special characters found in group names [ADVANCED]

String used to replace the characters found by the regex specified in [Regex to find special characters in group names]

_

ADVANCED

Regex to find special characters in role names [ADVANCED]

Regex that finds the matching characters in a role name and replaces them with the characters specified in [String to replace with the special characters found in role names]

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

String to replace with the special characters found in role names [ADVANCED]

String used to replace the characters found by the regex specified in [Regex to find special characters in role names]

_

ADVANCED

Persist case sensitivity of user names [ADVANCED]

By default, all user names are converted into lowercase, if you want to keep it in same case as the portal then enable this.

false

ADVANCED

Persist case sensitivity of group names [ADVANCED]

By default, all group names are converted into lowercase, if you want to keep it in same case as the portal then enable this.

false

ADVANCED

Persist case sensitivity of role names [ADVANCED]

By default, all role names are converted into lowercase, if you want to keep it in same case as the portal then enable this.

false

ADVANCED

Create users in Databricks SQL Endpoint by policysync [ADVANCED]

Enable if you want Privacera to create account users in Databricks Unity Catalog for each user created on portal. Even if this property is set to true, account users will only be created if the provided personal access token has account admin privileges.

true

ADVANCED

Create groups in Databricks SQL Endpoint by policysync [ADVANCED]

Enable if you want Privacera to create account groups in Databricks Unity Catalog for each group created on portal. Even if this property is set to true, account groups will only be created if the provided personal access token has account admin privileges.

true

ADVANCED

Manage members of groups in Databricks SQL by policysync [ADVANCED]

Enable if you want Privacera to manage the group members of account groups in Databricks Unity Catalog for each group created on portal. Even if this property is set to true, account groups will only be updated if the provided personal access token has account admin privileges.

true

ADVANCED

Manage users from portal [ADVANCED]

Enable if you want Privacera to handle Databricks Unity Catalog Endpoint users create/update/delete based on portal users create/update/delete.

true

ADVANCED

Manage groups from portal [ADVANCED]

Enable if you want Privacera to handle Databricks Unity Catalog Endpoint groups create/update/delete based on portal groups create/update/delete.

true

ADVANCED

Manage roles from portal [ADVANCED]

Enable if you want Privacera to handle Databricks Unity Catalog Endpoint roles create/update/delete based on portal roles create/update/delete.

true

ADVANCED

Users to set access control policies [ADVANCED]

Set list of user names whose access control should be managed by privacera. If you want to manage all users then you can keep it blank.

ADVANCED

Groups to set access control policies [ADVANCED]

Set list of group names whose access control should be managed by privacera. If you want to manage all groups then you can keep it blank.

ADVANCED

Roles to set access control policies [ADVANCED]

Set list of role names whose access control should be managed by privacera. If you want to manage all roles then you can keep it blank.

ADVANCED

Users to be ignored by access control policies [ADVANCED]

Set list of user names whose access control should not be managed by privacera. This list has precedence over [Users to set access control policies].

ADVANCED

Groups be ignored by access control policies [ADVANCED]

Set list of group names whose access control should not be managed by privacera. This list has precedence over [Groups to set access control policies].

ADVANCED

Roles be ignored by access control policies [ADVANCED]

Set list of role names whose access control should not be managed by privacera. This list has precedence over [Roles to set access control policies].

ADVANCED

Prefix of Databricks SQL Endpoint roles for portal groups [ADVANCED]

Prefix for the role which we will be creating in Databricks Unity Catalog Endpoint for the group from the portal.

priv_group_

ADVANCED

Prefix of Databricks SQL Endpoint roles for portal roles [ADVANCED]

Prefix for the role which we will be creating in Databricks Unity Catalog Endpoint for the role from the portal.

priv_role_

ADVANCED

Use Databricks SQL Endpoint native public group for public group access policies [ADVANCED]

Enable if you want privacera to use Databricks Unity Catalog Endpoint native public group for access grants whenever there is policy created referring to public group inside it.

true

ADVANCED

Set access control policies only on the users from managed groups [ADVANCED]

Enable if you want to manage only the users who belongs to the groups defined in [Groups to set access control policies].

false

ADVANCED

Set access control policies only on the users/groups from managed roles [ADVANCED]

Enable if you want to manage only the users who belongs to the roles defined in [Roles to set access control policies].

false

Access control management

ADVANCED

Enforce masking policies using secure views [ADVANCED]

Enable if you want to enforce masking policies using secure views.

true

ADVANCED

Enforce tr filter policies using secure views [ADVANCED]

Enable if you want to enforce tr filter policies using secure views.

true

ADVANCED

Create secure view for all tables/views [ADVANCED]

Enable if you want to create secure view for all tables/views regardless of any masking/tr filter policy present on the UI for table.

true

ADVANCED

Default masked value for numeric datatype columns [ADVANCED]

Default masked value for numeric datatype columns

0

ADVANCED

Default masked value for text/varchar/string datatype columns [ADVANCED]

Default masked value for text/varchar/string datatype columns

<MASKED>'

ADVANCED

Secure view name prefix [ADVANCED]

The secure view name is created by prepending this value to actual table/view name.

ADVANCED

Secure view name postfix [ADVANCED]

The secure view name is created by appending this value to actual table/view name.

ADVANCED

Secure view schema name prefix [ADVANCED]

The secure view schema name is created by prepending this value to actual table/view schema name.

ADVANCED

Secure view schema name postfix [ADVANCED]

The secure view schema name is created by appending this value to actual table/view schema name.

_secure

ADVANCED

Any spark properties to use when creating a secure view. [ADVANCED]

When creating a secure view with the unity catalog api, the api does not set any spark properties for the view. If there are spark properties that you would like for the secure views to have when they are created, they can be specified here as a comma separated list.

BASIC

Enable policy enforcements and user/group/role management [BASIC]

Enable for policy enforcements and user/group/role management

true

ADVANCED

Enable dataadmin [ADVANCED]

Enable to use data admin functionality.

true