Skip to content

Enable Secure View

Privacera supports Secure View for Databricks Unity Catalog, enabling the creation of views on top of existing tables while enforcing row-level security (RLS) and column-level masking policies.

For more information, refer to the About Secure Views section.

Configuration

Note

By deafult, native column masking and row filter policies are enabled. You must disable them to use Secure Views.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select Databricks Unity Catalog.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. Under the ADVANCED tab, enable the following options to configure secure views:

    • Enforce masking policies using secure views: Enables enforcement of masking policies using secure views.
    • Enforce row filter policies using secure views: Enables enforcement of row filter policies using secure views.
    • Create secure view for all tables/views: Enable to create secure view for all tables and views.
    • Enable dataadmin: Allow the dataadmin role to create secure views.

  5. Under ADVANCED tab, ensure the following native options are disabled:

    • Enforce native column masking: Disable this option if you want to use secure Views instead of native maksing, which is enabled by default.
    • Enforce native row filter policies: Disable this option if you want to use secure Views instead of native row level filter, which is enabled by default.

  6. To enable Secure Views for column-level access control, configure the following setting

    • How column level access should be handled: Set this value to view. The default is native_masking.

  7. Set default values for masked columns:

    • Default masked defaultValue for numeric datatype columns: Default value is 0 for numeric datatype columns.
    • Default masked defaultValue for text/varchar/string datatype columns: Default value is <MASKED> for text/varchar/string datatype columns.

  8. Set view naming conventions (optional):

    • Secure view name prefix: Prefix for the secure view name.
    • Secure view name postfix: Postfix for the secure view name.
    • Secure view schema name prefix: Prefix for the secure view schema name.
    • Secure view schema name postfix: Postfix for the secure view schema name.

  9. Click SAVE to apply the changes.

Note

Secure view is enabled by default in YAML configuration.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. To enable secure view update the following properties to true:

    YAML
    1
2
3
4
    CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_VIEW_BASED_MASKING: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_VIEW_BASED_ROW_FILTER: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_CREATE_FOR_ALL: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_DATA_ADMIN: "true"

  4. Set access control type:

    YAML
    1
    CONNECTOR_DATABRICKS_UNITY_CATALOG_COLUMN_ACCESS_CONTROL_TYPE: "view"

  5. Set default masked values:

    YAML
    1
2
    CONNECTOR_DATABRICKS_UNITY_CATALOG_MASKED_NUMBER_VALUE: "<MASKED_NUMBER_VALUE>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_MASKED_TEXT_VALUE: "<MASKED_TEXT_VALUE>"

  6. Set view naming conventions (optional):

    YAML
    1
2
3
4
    CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_NAME_PREFIX: "<SECURE_VIEW_NAME_PREFIX>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_NAME_POSTFIX: "<SECURE_VIEW_NAME_POSTFIX>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_SCHEMA_NAME_PREFIX: "<SECURE_VIEW_SCHEMA_NAME_PREFIX>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_SCHEMA_NAME_POSTFIX: "<SECURE_VIEW_SCHEMA_NAME_POSTFIX>"

  7. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Comments