Skip to content

Access Management for Domain-Level Tag Based Masking

In BigQuery, domain-level access refers to granting permissions across all users within a specific Google Workspace domain (e.g., example.com). This allows administrators to manage access control at an domain level rather than assigning permissions individually.
If tag masking is applied to a Public Group on a Column Tag, all users within the associated domain will see the masked data.

If CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME property is set, the Public Group on privacera portal acts as a domain in native tag based masking, applying tag masking to all users within that domain.

To view unmasked data: - Users need an explicit tag access policy to see unmasked values. - Without proper access, the column remains masked in SELECT queries.

Example domains

  • googlegroups.com
  • yourcompany.com
  • gappsdomain.google.com
  • cloud.google.com

Configure Domain Name for Tag-Based Masking

  • Edit the configuration file

    Modify the following properties in the vars.connector.bigquery.yml file located in the instance directory of the connector.

  • Update Configuration File Modify the following property in the vars.connector.bigquery.yml file located in the connector’s instance directory.

Note

The values shown below are for example purposes only. Replace them with your actual configuration values.

Bash
1
CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME: "privacera.com"
Save the file and update the privacera manager

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh update

- Prev topic: Advance Configuration

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. On the Applications screen, select BigQuery.

  3. Enter the application Name and Description. Click Save. Name could be any name of your choice. E.g. BigQuery Connector for account 123456.

  4. Open the BigQuery application.

  5. Enable the Access Management option with toggle button.

  6. Under the ADVANCED tab, go to bottom in Add New Custom Properties

    Note

    The values shown below are for example purposes only. Replace them with your actual configuration values.

    Add new property

    YAML
    1
    ranger.policysync.connector.0.native.public.group.masking.identity.name="domain_name"

  7. Click SAVE.

  8. The configured BigQuery connector appears under Applications.

  9. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Text Only
1
Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments