Skip to content

Enable Secure View

Privacera supports Secure Views for Databricks SQL, enabling you to create views on top of existing tables while enforcing row-level security (RLS) and column-level masking policies.

For details on how secure views work, refer to the About Secure Views section.

Secure Views properties:

Property Name Description Default Value Supported Values
MASKED NUMBER VALUE Sets the default value used to mask numeric columns 0 Any numeric value
MASKED TEXT VALUE Sets the default value used to mask text columns '<MASKED>' Any valid string
SECURE VIEW NAME PREFIX Sets the prefix to be added to secure view names "" Any valid string
SECURE VIEW NAME POSTFIX Sets the postfix to be added to secure view names "" Any valid string
SECURE VIEW DATABASE NAME PREFIX Sets the prefix to be added to secure view database names "" Any valid string
SECURE VIEW DATABASE NAME POSTFIX Sets the postfix to be added to secure view database names _secure Any valid string
SECURE VIEW NAME REMOVE SUFFIX LIST Sets the comma-separated list of suffixes to be removed from secure view names "" Any valid string
SECURE VIEW DATABASE NAME REMOVE SUFFIX LIST Sets the comma-separated list of suffixes to be removed from secure view database names "" Any valid string

Configuration

Note

Secure view is enabled by default in Databricks SQL.

Warning

  • Ensure that database prefixes and suffixes do not conflict with existing database names.
  • Use comma-separated values when specifying suffix lists.
  • Replace all example values with your actual configuration values.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-sql-analytics/instance1/vars.connector.databricks.sql.analytics.yml

  3. To enable secure view update the following properties to true:

    YAML
    1
2
3
4
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_CREATE_FOR_ALL: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ENABLE_DATA_ADMIN: "true"

  4. Set default masked values:

    YAML
    1
2
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_MASKED_NUMBER_VALUE: "0"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE: "'<MASKED>'"

  5. Set view naming conventions (optional):

    YAML
    1
2
3
4
5
6
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX: "privacera-"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_POSTFIX: "-secure"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_PREFIX: "privacera-"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_POSTFIX: "_secure"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST: : "_dev,_test"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_REMOVE_SUFFIX_LIST: "_dev,_test"

  6. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to SettingsApplications.

  2. On the Connected Applications screen, select Databricks SQL.

  3. Click on the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management.

  5. Under the ADVANCED tab, enable the following options to configure secure views:

    • Enforce masking policies using secure views: Enables enforcement of masking policies using secure views.
    • Enforce row filter policies using secure views: Enables enforcement of row filter policies using secure views.
    • Create secure view for all tables/views: Enable to create secure view for all tables and views.
    • Enable dataadmin: Enables dataadmin to configure secure views.

  6. Set default values for masked columns:

    • Default masked value for numeric datatype columns: Default value is 0 for numeric datatype columns.
    • Default masked value for text/varchar/string datatype columns: Default value is '<MASKED>' for text/varchar/string datatype columns.

  7. Set view naming conventions (optional):

    • Secure view name prefix: Prefix for the secure view name.
    • Secure view name postfix: Postfix for the secure view name.
    • Secure view database name prefix: Prefix for the secure view database name.
    • Secure view database name postfix: Postfix for the secure view database name.

  8. Add the following properties under the Add New Custom Properties section:

    Bash
    1
2
    ranger.policysync.connector.0.secure.view.name.remove.suffix.list=_temp,_staging
ranger.policysync.connector.0.secure.view.database.name.remove.suffix.list=_test,_dev

  9. Click SAVE to apply the changes.

Comments