Prerequisites for Access Management for AWS Redshift Connector¶

Before integrating AWS Redshift with Privacera, ensure that you have the necessary Redshift database, users and roles required by PolicySync Connector. Below are the prerequisites for setting up the AWS Redshift connector with Privacera.

Prerequisites	Detail
JDBC URL	Get the JDBC URL for the Redshift cluster.
JDBC username and password	SUPERUSER privileges are required and will be used exclusively by the Privacera Connector to manage access permissions. Configurations without SUPERUSER privileges are not currently supported. Refer to the Redshift Role for Connector section below for the necessary SQL commands.
Redshift Role for Connector	Create a Redshift role with the necessary privileges to allow the connector to manage access policies in Redshift.
Database, schema and table names	Specify the database and schema names to be managed. Initially, enable access management for a test schema with sample tables. Once all use cases have been validated, you can extend management to all objects within your Redshift database cluster.
Users and groups to manage	The Privacera users and groups whose permissions in Redshift will be managed by the connector.

Recommendations for Creating Redshift User and Role¶

For performing the below steps, log in to Redshift as a user with SUPERUSER privileges.

SUPERUSER Privileges Required

The Redshift connector currently requires credentials with SUPERUSER privileges to enforce policies and manage users and roles. Non-SUPERUSER setups are not supported at this time due to ownership switching requirements involved in GRANT/REVOKE operations.

Redshift Role for Connector¶

The role created in this step will be used when configuring the Redshift connector with Privacera. The suggested name for the role is privacera_policysync_redshift_role, but you can use a different name if preferred.

Since the Privacera connector manages access policies in Redshift and can create users and roles in Redshift, the role should have the necessary privileges to manage permissions for all tables and views in the database. Additionally, if Privacera is managing users and groups in Redshift, the role should have the necessary privileges to create, update and delete users and roles in Redshift.

Privilege	Description
CREATE USER	Allows the role to create users in Redshift.
CREATE ROLE	Allows the role to create roles in Redshift.
System Catalog Access	Allows the role to read system catalogs for metadata operations.
Schema Permissions	Allows the role to manage grants and permissions on schemas and tables.

Here are the steps to create the role and grant the necessary privileges to the role:

Drop the role if it already exists.

SQL
REVOKE ROLE "privacera_policysync_redshift_role" FROM "privacera_policysync_redshift_user";
DROP ROLE IF EXISTS privacera_policysync_redshift_role;

Create a new role.

SQL
CREATE ROLE "privacera_policysync_redshift_role";

Grant system catalog access to the role.

SQL
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO role privacera_policysync_redshift_role;
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO role privacera_policysync_redshift_role;

Grant schema-specific permissions (replace with your actual database and schema names).

SQL
-- Replace 'your_database.your_schema' with actual database and schema names
GRANT USAGE ON SCHEMA your_database.your_schema TO role privacera_policysync_redshift_role;
GRANT SELECT ON ALL TABLES IN SCHEMA your_database.your_schema TO role privacera_policysync_redshift_role;
GRANT CREATE ON SCHEMA your_database.your_schema TO role privacera_policysync_redshift_role;

Schema Permissions

Replace your_database.your_schema with the actual database and schema names you want to manage. You may need to repeat these commands for multiple schemas.

Database User for Privacera Connector¶

The Privacera connector requires a user to connect to Redshift and manage access policies. The user should have the necessary privileges to manage access policies in Redshift. The suggested name for the user is privacera_policysync_redshift_user, but you can use a different name if preferred. You need to create this database user and grant access to the role privacera_policysync_redshift_role.

Drop the user if it already exists.

SQL
DROP USER IF EXISTS "privacera_policysync_redshift_user";

Create the database user.
SQL
1
CREATE USER "privacera_policysync_redshift_user" WITH PASSWORD '<PLEASE_CHANGE>';
Replace Password

Replace <PLEASE_CHANGE> with a strong password for the privacera_policysync_redshift_user.

Grant the role to the user.

SQL
GRANT ROLE "privacera_policysync_redshift_role" TO "privacera_policysync_redshift_user";

Grant user creation privileges directly to the user.
SQL
1
ALTER USER "privacera_policysync_redshift_user" CREATEUSER;
User Creation Privileges

In Redshift, the CREATEUSER privilege needs to be granted directly to the user, not to the role.

Complete Setup Script¶

Here is the complete SQL script to set up the Redshift user and role for Privacera:

SQL
-- Clean up any existing user/role (if they exist)
REVOKE ROLE "privacera_policysync_redshift_role" FROM "privacera_policysync_redshift_user";
DROP ROLE IF EXISTS privacera_policysync_redshift_role;
DROP USER IF EXISTS "privacera_policysync_redshift_user";

-- Create the dedicated role
CREATE ROLE "privacera_policysync_redshift_role";

-- Create the dedicated service user
CREATE USER "privacera_policysync_redshift_user" WITH PASSWORD '<PLEASE_CHANGE>';

-- Grant the role to the user
GRANT ROLE "privacera_policysync_redshift_role" TO "privacera_policysync_redshift_user";

-- Grant system catalog access to the role
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO role privacera_policysync_redshift_role;
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO role privacera_policysync_redshift_role;

-- Grant user creation privileges directly to the user
ALTER USER "privacera_policysync_redshift_user" CREATEUSER;

-- Grant schema-specific permissions (replace with your actual database and schema names)
-- Example: GRANT USAGE ON SCHEMA your_database.your_schema TO role privacera_policysync_redshift_role;
-- Example: GRANT SELECT ON ALL TABLES IN SCHEMA your_database.your_schema TO role privacera_policysync_redshift_role;
-- Example: GRANT CREATE ON SCHEMA your_database.your_schema TO role privacera_policysync_redshift_role;

Next Steps

After creating the user and role, you can proceed with the Setup to configure the Redshift connector in Privacera using these credentials.

Planned Deployment¶

Redshift Roles

Privacera Connector for AWS Redshift will create Redshift Roles for the users, groups and roles in Privacera. The default naming convention for these Redshift roles is to prefix the role name with priv_.

Privacera connector will apply new permissions as per the policies defined in Privacera. The existing grants and permissions for the users, groups and roles in Redshift will not be removed by Privacera connector.

Existing grants and permissions

You will have to manually remove existing grants and permissions from Redshift. Similarly existing user to group or role mappings will not be removed by Privacera connector.

You can start by specifying a subset of schemas and tables to be managed by Privacera connector, and then you can later remove the restrictions to manage all the objects in your Redshift database cluster.

Similarly, you can start by specifying a subset of users and groups to be managed by Privacera connector, and then you can later remove the restrictions to manage all the users and groups in your Redshift database cluster.

If you have existing grants, you may want to convert them into Privacera policies and then remove the existing grants. Privacera Professional Services can help you with this conversion.

Prev topic: Access Management
Next topic: Setup