Access Management for EMR Serverless¶

Introduction¶

Privacera offers a robust access control solution for Amazon EMR Serverless, empowering users to define and enforce Object-Level Access Control (OLAC) and OLAC_FGAC policies for Spark.

This section provides the information how to extend the Docker image from EMR Serverless to include Privacera’s plugin and configurations. Refer to Privacera's User Guide for AWS EMR Serverless for instructions to run the Apache Spark Jobs or Jupyter Notebook with Privacera's access control.

Connector Details¶

Supported Access Management Features¶

Feature	Spark OLAC	Spark OLAC_FGAC
Object Level Access Control	Yes	Yes
Database Level Access Control	No	Yes
Table Access Control	No	Yes
View Access Control	No	Yes
Column Access Control	No	Yes
Row Access Control	No	No
Dynamic Column Data Masking	No	No
Dynamic Column Data Encryption	No	No
Centralized Access Audit	Yes	Yes
Granular Access Audit Record	Yes	Yes

Supported Runtime Versions¶

Privacera supports the following EMR Serverless runtime versions:

Self Managed/D2P

Version	Release Version	End-of-support date
7.5.0	9.0.8.1	November 21, 2026
7.2.0	9.0.1.1	July 25, 2026

Limitations for Access Management Features¶

1. Only JWT is supported for user identity mapping.
2. Only supports S3 as the data source.
3. For now, AWS EMR Serverless is only supported on Privacera's Self-Managed deployments.

How it Works¶

• Privacera integrates with EMR Serverless by extending the Spark Docker image from EMR Serverless to include Privacera’s plugin and configurations.
• The Dockerfile installs the required packages along with Privacera-specific files, including the plugin and setup script.
• The final Docker image is a customized build that incorporates Privacera’s setup, plugins, and configurations.

User Identity Mapping¶

Policies in Privacera are configured for users and groups based on JWT, as well as for roles created within Privacera. These identities are mapped to the Databricks user identities as follows:

Comments