Skip to content

Access Management for Domain-Level Tag Based Masking

In BigQuery, domain-level access refers to granting permissions across all users within a specific Google Workspace domain (e.g., example.com). This allows administrators to manage access control at an domain level rather than assigning permissions individually.
If tag masking is applied to a Public Group on a Column Tag, all users within the associated domain will see the masked data.

If CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME property is set, the Public Group on privacera portal acts as a domain in native tag based masking, applying tag masking to all users within that domain.

To view unmasked data: - Users need an explicit tag access policy to see unmasked values. - Without proper access, the column remains masked in SELECT queries.

Example domains

  • googlegroups.com
  • yourcompany.com
  • gappsdomain.google.com
  • cloud.google.com

Configure Domain Name for Tag-Based Masking

Note

The values shown below are for example purposes only. Be sure to replace them with your actual configuration values.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, add the following property under Add New Custom Properties:

    YAML
    1
    ranger.policysync.connector.0.native.public.group.masking.identity.name=<domain_name>

  5. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

  3. Add or modify the following properties:

    YAML
    1
    CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME: "<domain_name>"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Add the following property in Add New Custom Properties under the ADVANCED tab.

    YAML
    1
    ranger.policysync.connector.0.native.public.group.masking.identity.name=<domain_name>

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart the BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments