Skip to content

Access Management for Domain-Level Tag Based Masking

In BigQuery, domain-level access refers to granting permissions across all users within a specific Google Workspace domain (e.g., example.com). This allows administrators to manage access control at an domain level rather than assigning permissions individually.

In Privacera you can provide access to everyone by giving permission to a special group called public. In the case of GCP, it maps to the domain. You can customize the domain name by updating following the instructions in this section.

If tag masking is applied to a Public Group on a Column Tag, all users within the associated domain will see the masked data.

If CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_IDENTITY_NAME property is set, the Public Group on privacera portal acts as a domain in native tag based masking, applying tag masking to all users within that domain.

To view unmasked data: - Users need an explicit tag access policy to see unmasked values. - Without proper access, the column remains masked in SELECT queries.

Example domains

  • googlegroups.com
  • yourcompany.com
  • gappsdomain.google.com
  • cloud.google.com

Configure Domain Name for Tag-Based Masking

Note

The values shown below are for example purposes only. Be sure to replace them with your actual configuration values.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under Basic Native public group identity name Tab we have to update the value with domain such as your-domain

  5. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

  3. Add or modify the following properties:

    YAML
    1
    CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_IDENTITY_NAME: "<domain_name>"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under Basic Native public group identity name Tab we have to update the value with domain such as your-domain

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart the BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments