Access Type Exclusions¶

Overview¶

When you create policies in the Privacera portal for Lakeformation resources (for example, database or table), the set of permissions available for each resource type is displayed. By default, the connector syncs those permissions to AWS Lakeformation according to the policy.

Access Type Exclusions allow you to prevent specific permissions from syncing to Lakeformation for a given resource type. Even if a permission is granted within a Privacera policy, it will be ignored during the sync process if it is defined in the exclusion list.

Use access type exclusions when you want to prevent certain permissions (for example, ALTER or DROP) from being pushed to Lakeformation for specific resource types.

Configuration¶

Access type exclusions are defined as custom properties.

File Path
Modify the connector-custom.properties file located in your connector instance directory: config/custom-vars/connectors/lakeformation/<instance>/custom/connector-custom.properties. See Configuring Custom Properties for Connectors for Connectors for how to add and deploy custom properties.

Property¶

Define the property: Use the following pattern to define an exclusion.
ranger.policysync.connector.0.access.type.exclusions.<resourceType>

<resourceType> : The target resource (see the Resource Mapping Table below).
Value: A comma-separated (no spaces) list of permissions to exclude.

Resource Mapping Table: Use the corresponding resource type for the property from the following table.

Portal name	Use in property
Catalog	`catalog`
Region	`region`
Database	`database`
Table	`table`
Column	`column`
Data Location	`data_location`
Tag	`tag`
Database Resource Link	`database_resource_link`
Table Resource Link	`table_resource_link`

Exclusions are applied when the connector starts. Only the permissions listed in the property are excluded. All other permissions for the resource type continue to sync as usual.

Examples¶

Exclude ALTER and DROP for database:

Properties
ranger.policysync.connector.0.access.type.exclusions.database=ALTER,DROP

Exclude DROP for table:

Properties
ranger.policysync.connector.0.access.type.exclusions.table=DROP

Exclude multiple permissions for table:

Properties
ranger.policysync.connector.0.access.type.exclusions.table=ALTER,DROP,DELETE

Notes¶

The value (comma-separated permission names) must be in upper case (e.g., ALTER, DROP, SELECT).
Permission names must use underscores instead of spaces (e.g., use CREATE_TABLE, not CREATE TABLE).
Exclusions are applied per resource type. You must configure a separate property for each resource type.
If a property is present but the value is empty, no exclusions are applied.

Setup¶

Self Managed and Data Plane

SSH into the instance where Privacera Manager is installed.

Navigate to the custom folder for your Lakeformation connector instance and create or edit connector-custom.properties:

Note

Replace instance1 with your actual connector instance name.

Bash
mkdir -p ~/privacera/privacera-manager/config/custom-vars/connectors/lakeformation/instance1/custom
vi ~/privacera/privacera-manager/config/custom-vars/connectors/lakeformation/instance1/custom/connector-custom.properties

Add the access type exclusion properties (see Property and Examples above). For example:

Properties
ranger.policysync.connector.0.access.type.exclusions.database=ALTER,DROP
ranger.policysync.connector.0.access.type.exclusions.table=DROP

After updating the file, apply the changes by running:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

Prev topic: Advanced Configuration