Skip to content

Revoke Temporary Table Permissions for Public Group

In AWS Redshift, temporary tables automatically inherit permissions from the public group. This default behavior can unintentionally grant broader access to sensitive data than required.

Enabling this configuration revokes those inherited permissions, ensuring that temporary tables are accessible only to explicitly authorized users. This strengthens security by reducing unnecessary exposure.

Configuration Property

Property Description Default Value Possible Values
REVOKE_TMP_TABLE_PERMISSIONS_PUBLIC_GROUP When set to true, Privacera revokes permissions granted to the public group on temporary tables in AWS Redshift, providing tighter control over temporary table access. false true, false

Configuration Steps

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/redshift/instance1/vars.connector.redshift.yml

  3. Modify the following property:

    YAML
    CONNECTOR_REDSHIFT_REVOKE_TMP_TABLE_PERMISSIONS_PUBLIC_GROUP: "true"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud, go to SettingsApplications.

  2. Select Redshift from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, in the Add New Custom Properties section, add the following property:

    Bash
    ranger.policysync.connector.0.tmp.table.permission.revoke.for.public.group=true

  5. Click SAVE.

  6. Once saved and enabled, the AWS Redshift connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart the AWS Redshift Connector:

  1. Go to SettingsApplications → Select the Redshift connector.

  2. Edit the application → Disable it → and Save it.

  3. Reopen the application, Enable it and Save it.