Skip to content

Users, Groups, and Roles Management

This section is about managing access control policies for users, groups, and roles in the Databricks Unity Catalog.

Privacera's Databricks Unity Catalog connector provides an option to limit the users, groups, and roles that need to be managed in the Databricks Unity Catalog. This can be achieved by specifying the users, groups, and roles that need to be managed or ignored by the connector. Ignored users, groups and roles have precedence over managed users, groups, and roles.

This section provides details on how to configure the connector to manage them.

It is recommended to exclude admins from being managed by the connector and instead manage them manually in the Databricks Unity Catalog.

Setup

The following properties define comma-separated lists of users, groups, and roles to be managed by PolicySync. Wildcards (*) are supported to match multiple resources.

  1. User: user1,user2,dev_user*
  2. Group: group1,group2,dev_group*
  3. Role: role1,role2,dev_role*

Replace the example values with your actual user, group, and role names.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. If you want to manage only specific users, groups, and roles, specify them in the respective lists. Leave the values empty or put *, to manage all users, groups, and roles.

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USER_LIST: "user1, user2"
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUP_LIST: "group1, group2, group_prefix*"
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_ROLE_LIST: "role1, role2, role_prefix*"

  4. To exclude specific users, groups, and roles from the Databricks Unity Catalog, set the following properties.

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_USER_LIST: "user_a, user_b"
CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_GROUP_LIST: "group_a, group_b, group_prefix*"
CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_ROLE_LIST: "role_a, role_b, role_prefix*"

  5. You can further limit the users based on the groups and roles they belong to by setting the following properties to true.

    Bash
    1
2
3
4
5
    # Enable to manage only users belonging to the specified groups in the managed groups list.
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USER_FILTERBY_GROUP: "false"

# Enable to manage only users belonging to the specified roles in the managed roles list.
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USER_FILTERBY_ROLE: "false"

  6. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. For including specific users, groups, and roles in the Databricks Unity Catalog, enter the values in the following fields:

    • Users to set access control policies: user1, user2
    • Groups to set access control policies: group1, group2, group_prefix*
    • Roles to set access control policies: role1, role2, role_prefix*

  6. For excluding specific users, groups, and roles from the Databricks Unity Catalog, enter the values in the following fields:

    • Users to ignore while setting access control policies: user_a, user_b
    • Groups to ignore while setting access control policies: group_a, group_b, group_prefix*
    • Roles to ignore while setting access control policies: role_a, role_b, role_prefix*

  7. You can further limit the users based on the groups and roles they belong to by enabling the following options:

    • Set access control policies only on the users from managed groups: Enable if you want to manage only users who belong to the groups defined in Groups to set access control policies.
    • Set access control policies only on the users/groups from managed roles: Enable if you want to manage only users who belong to the roles defined in Roles to set access control policies.

  8. Click SAVE to apply the changes.

Managing Users, Groups, and Roles

These properties control whether users, groups and roles fetched from Ranger should be managed in Databricks Unity Catalog. By enabling these properties, Privacera can manage users, groups, and roles in Unity Catalog, including creation, updates, and deletions. Default value is true.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USERS: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUPS: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_ROLES: "true"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Enable the following options:

    • Manage users from portal
    • Manage groups from portal
    • Manage roles from portal

  6. Click SAVE to apply the changes.

Name Replacement for Users, Groups, and Roles

Replace Name from Regex

  • This property allows you to find and replace specific characters in user, group, or role names using a regular expression (regex). If left blank, no replacement is performed.
  • Default value:
    Text Only
    1
    [~`$&+:;=?@#|'<>.\\\\s^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
    This regex matches special characters such as spaces, punctuation, and symbols, ensuring that user, group, and role names comply with Databricks Unity Catalog naming conventions.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Enter the values in the following fields:

    • Regex to find special characters in user names: Enter a regex pattern to identify special characters in user names. These characters will be replaced based on the value specified in the String to replace with the special characters found in user names field.
    • Regex to find special characters in group names: Enter a regex pattern to identify special characters in group names. These characters will be replaced based on the value specified in the String to replace with the special characters found in group names field.
    • Regex to find special characters in role names: Enter a regex pattern to identify special characters in role names. These characters will be replaced based on the value specified in the String to replace with the special characters found in role names field.

  6. Click SAVE to apply the changes.

Replace to String

This property specifies the replacement characters for the regex matches. If left blank, no find and replace operation is performed. Default value is _.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_REPLACE_TO_STRING: "_"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Enter the values in the following fields:

    • String to replace with the special characters found in user names: String used to replace the characters found by the regex specified in Regex to find special characters in user names.
    • String to replace with the special characters found in group names: String used to replace the characters found by the regex specified in Regex to find special characters in group names.
    • String to replace with the special characters found in role names: String used to replace the characters found by the regex specified in Regex to find special characters in role names.

  6. Click SAVE to apply the changes.

Comments