Skip to content

Secure View Row Filter and Masking

Privacera offers the option to use Secure Views to enforce security measures. When enabled, Privacera creates Secure Views on top of the original tables and applies Row-Level Filtering (RLF) and column-level masking policies to these views. These policies are dynamically enforced when a user queries the Secure View.

Configuration Steps

Note

By deafult, Native Tag Based column masking and row filter policies are enabled. You must disable them to use Secure Views.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Enforce masking policies using secure views: Enable if you want to enforce masking policies using secure views.
    • Enforce row filter policies using secure views: Enable if you want to enforce row filter policies using secure views.
    • Create secure view for all tables/views: Enable if you want to create secure views for all tables and views, regardless of existing masking or row filter policies.
    • Default masked value for int64 datatype columns : Specifies the masking value used for numeric data types. E.g. 0
    • Default masked value for string datatype columns : Specifies the masking value used for text or string data types. E.g. <MASKED>
    • Enable dataadmin: Enables the Data Admin feature, This is disabled by default.

    • How column level access should be handled: To use Secure Views for column-level access control, Change the value to view, The default value is none.

  5. Under the ADVANCED tab, disable the following options:

    • Enforce bigquery native row filter: Disable this option if you want to use Secure Views for row filtering instead of the native BigQuery row filter functionality, which is enabled by default.
    • Enforce bigquery native tag masking: Disable this option if you want to use Secure Views for tag-based column masking instead of the native BigQuery tag masking functionality, which is enabled by default.
  6. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml
    
  3. Add or modify the following properties:

    YAML
    # Enable native BigQuery row filters
    CONNECTOR_BIGQUERY_ENABLE_ROW_FILTER: "false"
    
    # Enable native BigQuery tag masking
    ENABLE_TAG_MASKING: "false"
    
    # Enable view-based masking for BigQuery
    CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_MASKING: "true"
    
    # Enable view-based row filters for BigQuery
    CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER: "true"
    
    # Create secure views for all tables and views, regardless of policies
    CONNECTOR_BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL: "false"
    

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh setup
    
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    cd ~/privacera/privacera-manager
    ./pm_with_helm.sh upgrade
    
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh post-install
    
  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Enforce Masking Policies Using Secure Views : Specifies whether to use secure view-based masking. Default value is true.
    • Default Masking Value for Numeric Datatype : Specifies the masking value used for numeric data types.
    • Default Masking Value for Text/String Datatype : Specifies the masking value used for text or string data types.
    • Enforce Row Filter Policies Using Secure Views : Specifies whether to use secure view-based row filtering. Default value is true.
  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart the BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments