Skip to content

Users, Groups, and Roles Management

This section explains how to configure filters for specific users, groups, and roles in Privacera. These filters allow administrators to control which identities are included in policy synchronization and access evaluations for BigQuery.

Privacera's BigQuery connector allows you to explicitly manage or ignore specific users, groups, and roles. This feature is useful for restricting access management to only the relevant identities. If the same identity appears in both the manage and ignore lists, the ignore list takes precedence.

Prerequisites

  1. You have successfully installed Privacera Manager and have the base installation operational.
  2. You have configured the connector for BigQuery or are in the process of doing so.

Configuration Steps

The following properties define comma-separated lists of users, groups, and roles to be managed by PolicySync. Wildcards (*) are supported to match multiple resources. If you want to manage all users, groups, and roles you can omit specifying these properties.

  1. User: user1,user2,dev_user*
  2. Group: group1,group2,dev_group*
  3. Role: domain:<your-domain>

Warning

  • Roles are not natively supported in BigQuery. However, Privacera allows using a domain-style string such as domain:globaltenet.com to represent a role.
  • Roles must be created manually on the Privacera Portal.
  • Ensure that the value used for roles does not conflict with the value set in the property: ranger.policysync.connector.0.native.public.group.identity.name. The same value must not be used for both.

Note

  • Replace the example values with your actual user, group, and role names.
  • For instructions on creating a custom group in Google Cloud, refer to this guide.
  • The Google Group must be added in the portal using the following format:
    Example – Name: connectorDev@googlegroups.com

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. If you want to manage only specific users, and groups, specify them in the respective lists. Leave the values empty or put *, to manage all users, and groups.

    • Users to manage access control policies : user1
    • Groups to manage access control policies : group1

  5. To exclude specific users, and groups from the BigQuery, set the following properties.

    • Users to be ignored by access control policies : test_user1
    • Groups to be ignored by access control policies : test_group1

  6. Enable Set access control policies only on the users from managed groups if you want to manage only the users that are members of groups specified by Groups to manage access control policies. Default value is false.

  7. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

  3. Add or modify the following properties:

    YAML
    1
2
3
4
5
6
7
    CONNECTOR_BIGQUERY_MANAGE_USER_LIST: "privacera_user1, privacera_user2"
CONNECTOR_BIGQUERY_MANAGE_GROUP_LIST: "privacera_group1, privacera_test_group_*"
CONNECTOR_BIGQUERY_MANAGE_ROLE_LIST: "privacera_role1, privacera_test_role_*"

CONNECTOR_BIGQUERY_IGNORE_USER_LIST: "test_user1"
CONNECTOR_BIGQUERY_IGNORE_GROUP_LIST: "test_group1"
CONNECTOR_BIGQUERY_IGNORE_ROLE_LIST: "test_role1"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Users to Set Access Control Policies : user1
    • Groups to Set Access Control Policies : group1
    • Users to be Ignored by Access Control Policies : test_user1
    • Groups to be Ignored by Access Control Policies : test_group1
    • Set Access Control Policies Only on Users from Managed Groups : Enable to specify whether to manage only the users that are members of groups specified by Groups to set access control policies. Default value is false.

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart the BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Principal Name Case Sensitivity

BigQuery principal names (users and groups) may-be case-sensitive. Privacera provides configuration options to control how principal names are persisted in the system.

Property Details

Property PM Variable Description Default Value Supported Values
ranger.policysync.connector.0.user.name.persist.case.sensitivity CONNECTOR_BIGQUERY_USER_NAME_PERSIST_CASE_SENSITIVITY Controls whether user names are stored with their exact case from BigQuery true true, false
ranger.policysync.connector.0.group.name.persist.case.sensitivity CONNECTOR_BIGQUERY_GROUP_NAME_PERSIST_CASE_SENSITIVITY Controls whether group names are stored with their exact case from BigQuery true true, false

Behavior Explained

When true (Recommended):

  • Principal names are stored exactly as they appear in BigQuery
  • Preserves camelCase, UPPERCASE, lowercase, and mixed case formatting
  • Example: If BigQuery has DevTeam@example.com, it's stored as DevTeam@example.com in Privacera
  • Action Required: Create principals on the Privacera Portal with the exact same case as they appear in BigQuery

When false (Not Recommended):

  • All principal names are converted to lowercase before storage
  • Example: DevTeam@example.com becomes devteam@example.com
  • May cause the connector to behave incorrectly as BigQuery uses case-sensitive matching
  • Not recommended for production use

Default Behavior (Recommended)

By default, both properties are set to true, which means Privacera preserves the exact case of principal names as they appear in BigQuery. This is the recommended configuration to ensure accurate access control.

Important: Create Exact Principal Names

Since the default value is true, you must create users and groups on the Privacera Portal with the exact same case as they appear in BigQuery. This includes:

  • Maintaining camelCase (e.g., DevTeam)
  • Preserving UPPERCASE (e.g., ADMIN)
  • Keeping lowercase (e.g., developer)
  • Mixed case (e.g., John.Doe@Example.Com)

Configuration Properties

The following steps show how to access these configuration properties if needed:

Note

These properties are automatically set to true by default. No additional configuration is required unless you need to change this behavior.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. Make the required changes and click Save.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

  3. Add the following properties (only if you need to change from defaults):

    YAML
    1
2
3
4
5
    # User name case sensitivity (default: true)
CONNECTOR_BIGQUERY_USER_NAME_PERSIST_CASE_SENSITIVITY: "true"

# Group name case sensitivity (default: true)
CONNECTOR_BIGQUERY_GROUP_NAME_PERSIST_CASE_SENSITIVITY: "true"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud, go to SettingsApplications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. Make the required changes and click Save.