Users, Groups, and Roles Management¶
This section explains how to manage access control policies for users, groups, and roles in Databricks SQL.
Privacera's Databricks SQL connector allows you to control which users, groups, and roles are managed within Databricks SQL. You can do this by explicitly specifying which entities the connector should manage or ignore.
This section provides guidance on how to configure the connector to manage these entities.
Managing Users, Groups, and Roles¶
These properties control whether users, groups, and roles fetched from Ranger are managed in Databricks SQL. When enabled, Privacera can create, update, and delete these entities within Databricks SQL.
-
Manage Users, Groups, and Roles:
Specifies whether the Privacera SQL connector should manage users, groups, and roles in Databricks SQL.- When enabled (
true
), the connector automatically manages the creation, update, and deletion of principals. - It also grants and revokes privileges based on policies retrieved from Ranger.
- This setting is enabled by default to support automated access and identity management.
- When enabled (
-
Filter Specific Users, Groups, and Roles:
Use these properties to selectively manage specific identities—users, groups, and roles—in Databricks SQL.- Provide a comma-separated list of exact names or wildcard prefixes (e.g.,
group_prefix*
,role_prefix*
) to target specific principals. - To manage all principals, leave the property empty or set it to
*
.
These filter properties only apply if general management is enabled:
-
Self Managed (YAML Configuration) deployments:
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USERS
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES
-
PrivaceraCloud deployments:
- Enable the following in Access Management → ADVANCED tab of the Databricks SQL application:
- Manage users from portal
- Manage groups from portal
- Manage roles from portal
- Enable the following in Access Management → ADVANCED tab of the Databricks SQL application:
- Provide a comma-separated list of exact names or wildcard prefixes (e.g.,
-
Ignore Specific Identities:
- Use this property to exclude specific users, groups, or roles from being managed by the Privacera Databricks SQL connector.
- Ignored identities take precedence over any identities specified for inclusion or management.
-
User Filtering Based on Groups or Roles:
- This option allows you to restrict user management by the connector based on group or role membership.
- Only users who belong to the specified groups or roles will be considered for management.
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to open the
.yml
file to be edited.If you have multiple connectors, then replace
instance1
with the appropriate connector instance name.Bash -
Set the following properties:
-
If you want to manage only specific users, groups, and roles, specify them in the corresponding properties below.
-
To exclude specific users, groups, and roles from the Databricks SQL, set the following properties.
-
To further filter users based on the groups and roles they belong to, use the following properties:
-
Once the properties are configured, run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
-
In PrivaceraCloud portal, navigate to Settings -> Applications.
-
On the Connected Applications screen, select Databricks SQL.
-
Click on the icon or the Account Name to modify the settings.
-
On the Edit Application screen, go to Access Management -> ADVANCED tab.
-
Enable the following options:
- Manage users from portal
- Manage groups from portal
- Manage roles from portal
-
For including specific users, groups, and roles, enter the values in:
- Users to set access control policies:
user1,user2
- Groups to set access control policies:
group1,group2,group_prefix*
- Roles to set access control policies:
role1,role2,role_prefix*
- Users to set access control policies:
-
For excluding specific users, groups, and roles:
- Users to be ignored by access control policies:
user_a,user_b
- Groups be ignored by access control policies:
group_a,group_b,group_prefix*
- Roles be ignored by access control policies:
role_a,role_b,role_prefix*
- Users to be ignored by access control policies:
-
Additional filtering options:
- Set access control policies only on the users from managed groups: Enable if you want to manage only users who belong to the groups defined in
Groups to set access control policies
. - Set access control policies only on the users/groups from managed roles: Enable if you want to manage only users who belong to the roles defined in
Roles to set access control policies
.
- Set access control policies only on the users from managed groups: Enable if you want to manage only users who belong to the groups defined in
-
Click SAVE to apply the changes.
Name Replacement for Users, Groups, and Roles¶
Replace Name from Regex¶
- This property allows you to find and replace specific characters in user, group, or role names using a regular expression (regex). If left blank, no replacement is performed.
- Default value: This regex matches special characters such as spaces, punctuation, and symbols to ensure that user, group, and role names comply with Databricks SQL naming conventions.
Text Only
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to open the
.yml
file to be edited.If you have multiple connectors, then replace
instance1
with the appropriate connector instance name.Bash -
Set the following properties:
-
Once the properties are configured, run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
-
In PrivaceraCloud portal, navigate to Settings -> Applications.
-
On the Connected Applications screen, select Databricks SQL.
-
Click on the icon or the Account Name to modify the settings.
-
On the Edit Application screen, go to Access Management -> ADVANCED tab.
-
Enter the values in the following fields:
- Regex to find special characters in user names: Enter a regex pattern to identify special characters in user names. These characters will be replaced based on the value specified in the
String to replace with the special characters found in user names
field. - Regex to find special characters in group names: Enter a regex pattern to identify special characters in group names. These characters will be replaced based on the value specified in the
String to replace with the special characters found in group names
field. - Regex to find special characters in role names: Enter a regex pattern to identify special characters in role names. These characters will be replaced based on the value specified in the
String to replace with the special characters found in role names
field.
- Regex to find special characters in user names: Enter a regex pattern to identify special characters in user names. These characters will be replaced based on the value specified in the
-
Click SAVE to apply the changes.
Replace to String¶
This property specifies the replacement characters for the regex matches. If left blank, no find and replace operation is performed. Default value is _
.
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to open the
.yml
file to be edited.If you have multiple connectors, then replace
instance1
with the appropriate connector instance name.Bash -
Set the following properties:
-
Once the properties are configured, run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
-
In PrivaceraCloud portal, navigate to Settings -> Applications.
-
On the Connected Applications screen, select Databricks SQL.
-
Click on the icon or the Account Name to modify the settings.
-
On the Edit Application screen, go to Access Management -> ADVANCED tab.
-
Enter the values in the following fields:
- String to replace with the special characters found in user names: String used to replace the characters found by the regex specified in
Regex to find special characters in user names
. - String to replace with the special characters found in group names: String used to replace the characters found by the regex specified in
Regex to find special characters in group names
. - String to replace with the special characters found in role names: String used to replace the characters found by the regex specified in
Regex to find special characters in role names
.
- String to replace with the special characters found in user names: String used to replace the characters found by the regex specified in
-
Click SAVE to apply the changes.
Examples: Regex-Based Name Replacement¶
The following examples demonstrate how regex-based name replacement works for users, groups, and roles. These examples help clarify how names are transformed when they match the defined regex patterns.
Note
- Names that do not match the regex remain unchanged.
- You can modify the regex and replacement string to match your organization's naming conventions.
User Name Replacement Examples¶
Suppose you configure the following:
YAML | |
---|---|
This configuration replaces any special character or space in a username with an underscore (_
).
Original User Name | Result After Replacement | Explanation |
---|---|---|
john.doe | john_doe | . replaced with _ |
alice smith | alice_smith | Space replaced with _ |
bob@company | bob_company | @ replaced with _ |
charlie | charlie | No match, remains unchanged |
Group Name Replacement Examples¶
If you configure the following:
YAML | |
---|---|
This replaces any group name that start with group-
with Team_
followed by the rest of the name.
Original Group Name | Result After Replacement | Explanation |
---|---|---|
group-analytics | Team_analytics | group- replaced with Team_ |
admins | admins | No group- prefix, remains unchanged |
group-123 | Team_123 | group- replaced with Team_ |
Role Name Replacement Examples¶
If you configure the following:
YAML | |
---|---|
role_
by substituting the prefix with Role
. Original Role Name | Result After Replacement | Explanation |
---|---|---|
role_data | Roledata | Replaces role_ prefix with Role |
user | user | No role_ prefix, remains unchanged |
role123 | role123 | No underscore after role , remains unchanged |
- Prev topic: Advanced Configuration