Skip to content

Manage Resources List

You can configure the GCP BigQuery connector to manage access control policies for specific projects, datasets, and tables. By specifying inclusion and exclusion lists, you can control which resources are managed. The connector applies access control policies to resources in the include list and ignores those in the exclude list. If a resource appears in both the include and exclude lists, the connector will not manage it.

Use the following properties to specify comma-separated projects, datasets, and tables whose access control should be managed by PolicySync. To manage all resources, simply leave these properties unspecified. Wildcard characters (*) can be used to match multiple projects, datasets, and tables.

Example:

  • Project: gcp-project-123, gcp-project*
  • Dataset: gcp-project-123.analytics_db, gcp-project*.test_db*
  • Table: gcp-project-123.analytics_db.customer_table, gcp-project*.test_db*.*

Prerequisites

  1. You have successfully installed Privacera Manager and have the base installation operational.
  2. You have configured the connector for BigQuery or are in the process of doing so.

Configuration Steps

Warning

  • Values are case-sensitive.
  • Provide fully qualified names for project, datasets, and table where applicable.
  • Example (for table resource only): gcp-project-123.analytics_db.customer_table
  • Replace the example values with your actual resource names.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. For including resources, enter the following values in the respective fields under BASIC tab:

    • Projects to manage access control policies : <your-project-name>
      • Example: gcp-project-123
    • Datasets to manage access control policies : your-project-name.your-dataset-name>
      • Example:: gcp-project-123.test_db
    • Tables to manage access control policies : your-project-name.your-dataset-name.your-table-name
      • Example:: gcp-project-123.analytics_db.customer_table, gcp-project-123.analytics_db.finance_*

    Note

    • If manage.table.list is either empty or undefined, the connector will manage all tables present within the datasets specified in manage.dataset.list.
    • If any table patterns are defined in manage.table.list, the connector will only manage tables that match those patterns, even if their parent dataset is included in manage.dataset.list.
    • To manage all tables within specific datasets when table patterns are in use, you must explicitly include wildcard entries such as dataset_name.* in manage.table.list. Without these wildcards, tables from other datasets listed in manage.dataset.list will be skipped unless their individual patterns are also explicitly specified.

  5. For excluding resources, enter the following values in the respective fields under ADVANCED tab:

    • Projects to ignore while setting access control policies : <your-project-name>
      • Example:: gcp-project-123
    • Datasets to ignore while setting access control policies : your-project-name.your-dataset-name>
      • Example:: gcp-project-123.test_db
    • Tables to ignore while setting access control policies : your-project-name.your-dataset-name.your-table-name>
      • Example:: gcp-project-123.analytics_db.customer_table, gcp-project-123.analytics_db.finance_*

  6. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

  3. Add or modify the following properties :

    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    CONNECTOR_BIGQUERY_MANAGE_PROJECT_LIST: `<your-project-name`
     - Example: `gcp-project-123`
CONNECTOR_BIGQUERY_MANAGE_DATASET_LIST: `your-project-name.your-dataset-name`
     - Example: `gcp-project-123.test_db`
CONNECTOR_BIGQUERY_MANAGE_TABLE_LIST: `your-project-name.your-dataset-name.your-table-name`
     - Example: `gcp-project-123.analytics_db.customer_table, gcp-project-123.analytics_db.finance_*`


CONNECTOR_BIGQUERY_IGNORE_PROJECT_LIST: `<your-project-name>`
     - Example: `gcp-project-123`
CONNECTOR_REDSHIFT_IGNORE_DATABASE_LIST: `<your-project-name.your-dataset-name>`
     - Example: `gcp-project-123.test_db`
CONNECTOR_REDSHIFT_IGNORE_TABLE_LIST: `<your-project-name.your-dataset-name.your-table-name>`
     - Example: `gcp-project-123.analytics_db.customer_table, gcp-project-123.analytics_db.finance_*`

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. For including resources, enter the following values in the respective fields:

    • Projects to manage access control policies : <your-project-name>
      • Example: gcp-project-123
    • Datasets to Set Access Control Policies : <your-project-name.dataset-name>
      • Example: gcp-project-123.test_db
    • Tables to Set Access Control Policies : <your-project-name.dataset-name.table-name
      • Example: gcp-project-123.analytics_db.test_table

  5. For excluding resources, enter the following values in the respective fields:

    • Projects to Ignore While Setting Access Control Policies : <your-project-name>
      • Example: gcp-project-123
    • Datasets to Ignore While Setting Access Control Policies : <your-project-name.dataset-name>
      • Example: gcp-project-123.admin_database
    • Tables to Ignore While Setting Access Control Policies : <your-project-name.dataset-name.table-name>
      • Example: gcp-project-123.admin-database.*

  6. Click SAVE.

  7. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart the BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments