Skip Database Grant for Table-Wildcard Policies¶

By default, when you create a policy using a table wildcard (*), the Lake Formation connector grants permission on both the matching tables and the database resource.

When Skip Database Grant is enabled, the connector restricts permissions only to the tables matching the wildcard. It skips granting any permissions on the database resource itself.

Use this setting to prevent users from gaining unintended database-level access (such as the ability to describe or list the database) when your intent is only to provide access to specific sets of tables.

Configuration¶

Setting	Type	Default	Description
`CONNECTOR_LAKEFORMATION_SKIP_SELF_IN_WILDCARD_POLICY_ENABLED`	Boolean	`true`	When enabled, skips granting permissions on the database for policies that use a table wildcard. Permissions are applied only at the table level.

Setup¶

Self Managed and Data Plane

SSH into the instance where Privacera Manager is installed.
Navigate to your Lakeformation connector instance YAML file :

Note

Replace instance1 with the appropriate connector instance name.
Bash
1
vi ~/privacera/privacera-manager/config/custom-vars/connectors/lakeformation/instance1/vars.connector.lakeformation.push.yml

Add the property for skip self feature:

YAML
# Skip-self in wildcard policy
CONNECTOR_LAKEFORMATION_SKIP_SELF_IN_WILDCARD_POLICY_ENABLED: "true"

After updating the file, apply the changes by running:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

Prev topic: Advanced Configuration