Skip to content

Users, Groups, and Roles Management

This section is about managing access control policies for users, groups, and roles in the Databricks SQL Analytics.

Privacera's Databricks SQL Analytics connector includes an option to restrict which users, groups, and roles are managed in Databricks SQL Analytics. This is achieved by explicitly specifying which entities should be managed or ignored by the connector.

This section provides details on how to configure the connector to manage them.

It is recommended to exclude admins from being managed by the connector and instead manage them manually in the Databricks SQL Analytics.

Managing Users, Groups, and Roles

These properties determine whether users, groups, and roles fetched from Ranger should be managed in Databricks SQL Analytics. When enabled, Privacera can create, update, and delete these entities within SQL Analytics.

  • Manage Users, Groups, and Roles:
    Specifies whether the Privacera SQL Analytics connector should manage users, groups, and roles—collectively referred to as principals—in Databricks SQL Analytics.

    • When enabled (true), the connector automatically manages the creation, update, and deletion of principals.
    • It also grants and revokes privileges based on policies retrieved from Ranger.
    • This setting is enabled by default to support automated access and identity management.

  • Filter Specific Users, Groups, and Roles:
    Use these properties to selectively manage specific identities—users, groups, and roles—in SQL Analytics.

    • Provide a comma-separated list of exact names or wildcard prefixes (e.g., group_prefix*, role_prefix*) to target specific principals.
    • To manage all principals, leave the property empty or set it to *.
    These filter properties only apply if general management is enabled:

    • Self Managed (YAML Configuration) deployments:

      • CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USERS
      • CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS
      • CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES

    • PrivaceraCloud deployments:

      • Enable the following in Access Management → ADVANCED tab of the Databricks SQL Analytics application:
        • Manage users from portal
        • Manage groups from portal
        • Manage roles from portal

  • Ignore Specific Identities:

    • Use this property to exclude specific users, groups, or roles from being managed by the Privacera SQL Analytics connector.
    • Ignored identities take precedence over any included or managed identities.

  • Group Membership Management:
    Specifies whether the Privacera SQL Analytics connector manages user membership within Databricks account-level groups.

    • When set to true: The connector automatically adds or removes users from account-level groups based on the configuration defined in Privacera. This ensures that group membership remains synchronized between Privacera and SQL Analytics.
    • When set to false: Group membership must be managed manually or by an external process.

    Note

    Group membership updates require the Databricks personal access token to have account admin privileges.

  • User Filtering Based on Groups or Roles:

    • This option allows you to restrict which users are managed by the connector based on their group or role membership.
    • Only users who belong to the specified groups or roles will be considered for management.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-sql-analytics/instance1/vars.connector.databricks.sql.analytics.yml

  3. Set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USERS: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES: "true"

  4. If you want to manage only specific users, groups, and roles, specify them in the corresponding properties below.

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST: "user1, user2"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST: "group1, group2, group_prefix*"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST: "role1, role2, role_prefix*"

  5. To exclude specific users, groups, and roles from the Databricks SQL Analytics, set the following properties.

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST: "user_a, user_b"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST: "group_a, group_b, group_prefix*"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST: "role_a, role_b, role_prefix*"

  6. To further filter users based on the groups and roles they belong to, use the following properties:

    Bash
    1
2
3
4
5
    # Enable to manage only users belonging to the specified groups in the managed groups list.
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP: "false"

# Enable to manage only users belonging to the specified roles in the managed roles list.
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_ROLE: "false"

  7. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks SQL Analytics.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Enable the following options:

    • Manage users from portal
    • Manage groups from portal
    • Manage roles from portal

  6. For including specific users, groups, and roles, enter the values in:

    • Users to set access control policies: user1, user2
    • Groups to set access control policies: group1, group2, group_prefix*
    • Roles to set access control policies: role1, role2, role_prefix*

  7. For excluding specific users, groups, and roles:

    • Users to ignore while setting access control policies: user_a, user_b
    • Groups to ignore while setting access control policies: group_a, group_b, group_prefix*
    • Roles to ignore while setting access control policies: role_a, role_b, role_prefix*

  8. To enable group member management:

    • Manage the group members of account groups in Databricks SQL Analytics by Privacera

  9. Additional filtering options:

    • Set access control policies only on the users from managed groups: Enable if you want to manage only users who belong to the groups defined in Groups to set access control policies.
    • Set access control policies only on the users/groups from managed roles: Enable if you want to manage only users who belong to the roles defined in Roles to set access control policies.

  10. Click SAVE to apply the changes.

Name Replacement for Users, Groups, and Roles

Replace Name from Regex

  • This property allows you to find and replace specific characters in user, group, or role names using a regular expression (regex). If left blank, no replacement is performed.
  • Default value:
    Text Only
    1
    [~`$&+:;=?@#|'<>.\\\\s^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
    This regex matches special characters such as spaces, punctuation, and symbols, ensuring that user, group, and role names comply with Databricks Sql Analytics naming conventions.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-sql-analytics/instance1/vars.connector.databricks.sql.analytics.yml

  3. Set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Sql Analytics.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Enter the values in the following fields:

    • Regex to find special characters in user names: Enter a regex pattern to identify special characters in user names. These characters will be replaced based on the value specified in the String to replace with the special characters found in user names field.
    • Regex to find special characters in group names: Enter a regex pattern to identify special characters in group names. These characters will be replaced based on the value specified in the String to replace with the special characters found in group names field.
    • Regex to find special characters in role names: Enter a regex pattern to identify special characters in role names. These characters will be replaced based on the value specified in the String to replace with the special characters found in role names field.

  6. Click SAVE to apply the changes.

Replace to String

This property specifies the replacement characters for the regex matches. If left blank, no find and replace operation is performed. Default value is _.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-sql-analytics/instance1/vars.connector.databricks.sql.analytics.yml

  3. Set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING: "_"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Sql Analytics.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Enter the values in the following fields:

    • String to replace with the special characters found in user names: String used to replace the characters found by the regex specified in Regex to find special characters in user names.
    • String to replace with the special characters found in group names: String used to replace the characters found by the regex specified in Regex to find special characters in group names.
    • String to replace with the special characters found in role names: String used to replace the characters found by the regex specified in Regex to find special characters in role names.

  6. Click SAVE to apply the changes.

Examples: Regex Name Replacement

Below are simple examples showing how the regex-based name replacement works for users, groups, and roles. These examples help clarify what happens for names that match the regex and those that do not.

Suppose you set the following properties:

YAML
1
2
CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING: "_"

This configuration replaces any special character or space in a user name with an underscore (_).

Note

  • If a name does not match the regex, it remains unchanged.
  • You can adjust the regex and replacement string to fit your organization's naming conventions.

User Name Replacement Examples

Original User Name Result After Replacement Explanation
john.doe john_doe . replaced with _
alice smith alice_smith Space replaced with _
bob@company bob_company @ replaced with _
charlie charlie No special characters, unchanged

Group Name Replacement Examples

If you set:

YAML
1
2
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX: "group-(.+)"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING: "Team_$1"
Original Group Name Result After Replacement Explanation
group-analytics Team_analytics Replaces group- prefix with Team_
admins admins No group- prefix, so remains unchanged
group-123 Team_123 Replaces group- prefix with Team_

Role Name Replacement Examples

If you set:

YAML
1
2
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX: "role_(.+)"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING: "Role$1"
Original Role Name Result After Replacement Explanation
role_data Roledata Replaces role_ prefix with Role
user user No role_ prefix, so remains unchanged
role123 role123 No underscore after role, remains unchanged

Comments