Access Management for Domain-Level Tag Based Masking¶
In BigQuery, domain-level access refers to granting permissions across all users within a specific Google Workspace domain (e.g., example.com). This allows administrators to manage access control at an domain level rather than assigning permissions individually.
If tag masking is applied to a Public Group
on a Column Tag, all users within the associated domain will see the masked data.
If CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME
property is set, the Public Group
on privacera portal
acts as a domain in native tag based masking
, applying tag masking to all users within that domain.
To view unmasked data: - Users need an explicit tag access policy to see unmasked values. - Without proper access, the column remains masked in SELECT queries.
Example domains
googlegroups.com
yourcompany.com
gappsdomain.google.com
cloud.google.com
Configure Domain Name for Tag-Based Masking¶
Note
The values shown below are for example purposes only. Be sure to replace them with your actual configuration values.
-
Navigate to Settings → Applications in the Self-Managed Portal.
-
Select BigQuery from the list of Connected Applications.
-
Click on the application name or the icon, then click on Access Management.
-
Under the ADVANCED tab, add the following property under
Add New Custom Properties
:YAML -
Click SAVE to apply the changes.
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to open the
.yml
file to be edited.If you have multiple connectors, then replace
instance1
with the appropriate connector instance name.Bash -
Add or modify the following properties:
YAML -
Once the properties are configured, run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
-
In PrivaceraCloud, go to Settings -> Applications.
-
Select BigQuery from the list of Connected Applications.
-
Click on the application name or the icon, then click on Access Management.
-
Add the following property in
Add New Custom Properties
under the ADVANCED tab.YAML -
Click SAVE.
-
Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.
Note
Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.
Restart the BigQuery Connector:
-
Go to Settings > Applications > select the BigQuery connector application .
-
Edit the application > Disable it > and Save it.
-
Open the same application again and then: Enable it and Save it.
- Prev topic: Advanced Configuration