Policy Enforcement for folders in Dremio¶

Prerequisites:¶

In Dremio, when a parent folder is granted access, all its child folders and views automatically inherit those privileges. However, these inherited permissions will not be visible in the UI unless access is explicitly granted at the child level.

Handling folder structures:¶

Privacera treats each folder, subfolder, and view as an independent entity rather than as part of a parent-child hierarchy. This structure is reflected in the Service Explorer.

Recommendations for Managing Nested Folder Structures Efficiently:¶

If you need to deny access to multiple folders while allowing access to only a few, it is more efficient to create an include policy that explicitly lists the folders to be allowed. This approach simplifies policy management and ensures precise access control.

Case 1: Use Wildcards in Folder Policies to Control Access to Multiple Similarly Named Folders¶

When folders share a common prefix, you can simplify policy management by using wildcards. For example, to deny access to folders such as restricted, restricted1, restricted2, etc., under priv_folder, use the following pattern in your policy:

Policy:

Space: priv_space
Folder: priv_folder.restrict*, priv_folder
Permission: Select

Case-2: Efficiently Manage Access by Excluding Specific Restricted Folders¶

When access needs to be granted to most folders but restricted for only a few, it's more efficient to use an exclude policy that explicitly lists the restricted folders. This approach simplifies access management by allowing broad access while precisely denying access to sensitive or restricted folders.