Skip to content

Access Management for Domain-Level Tag Based Masking

In BigQuery, domain-level access refers to granting permissions across all users within a specific Google Workspace domain (e.g., example.com). This allows administrators to manage access control at an domain level rather than assigning permissions individually.
If tag masking is applied to a Public Group on a Column Tag, all users within the associated domain will see the masked data.

If CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME property is set, the Public Group on privacera portal acts as a domain in native tag based masking, applying tag masking to all users within that domain.

To view unmasked data: - Users need an explicit tag access policy to see unmasked values. - Without proper access, the column remains masked in SELECT queries.

Example domains

  • googlegroups.com
  • yourcompany.com
  • gappsdomain.google.com
  • cloud.google.com

Configure Domain Name for Tag-Based Masking

Note

The values shown below are for example purposes only. Be sure to replace them with your actual configuration values.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, add the following property under Add New Custom Properties:

    YAML
    1
    ranger.policysync.connector.0.native.public.group.masking.identity.name=<domain_name>

  5. Click SAVE to apply the changes.

  1. Open the vars.connector.bigquery.yml file located in the connector’s instance directory.

  2. Add or update the following property:

    YAML
    1
    CONNECTOR_BIGQUERY_NATIVE_PUBLIC_GROUP_MASKING_IDENTITY_NAME: "<domain_name>"

  3. Save the file and update the privacera manager.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh update

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Add the following property in Add New Custom Properties under the ADVANCED tab.

    YAML
    1
    ranger.policysync.connector.0.native.public.group.masking.identity.name=<domain_name>

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments