Skip to content

Users, Groups, and Roles Management

This section explains how to configure filters for specific users, groups, and roles in Privacera. These filters allow administrators to control which identities are included in policy synchronization and access evaluations for BigQuery.

Privacera's BigQuery connector allows you to explicitly manage or ignore specific users, groups, and roles. This feature is useful for restricting access management to only the relevant identities. If the same identity appears in both the manage and ignore lists, the ignore list takes precedence.

Prerequisites

  1. You have successfully installed Privacera Manager and have the base installation operational.
  2. You have configured the connector for BigQuery or are in the process of doing so.

Configuration Steps

The following properties define comma-separated lists of users, groups, and roles to be managed by PolicySync. Wildcards (*) are supported to match multiple resources. If you want to manage all users, groups, and roles you can omit specifying these properties.

  1. User: user1,user2,dev_user*
  2. Group: group1,group2,dev_group*
  3. Role: role1,role2,dev_role*

Note

  • Replace the example values with your actual user, group, and role names.
  • For instructions on creating a custom group in Google Cloud, refer to this guide.
  • The Google Group must be added in the portal using the following format:
    Example – Name: connectorDev@googlegroups.com

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. If you want to manage only specific users, and groups, specify them in the respective lists. Leave the values empty or put *, to manage all users, and groups.

    • Users to manage access control policies : user1
    • Groups to manage access control policies : group1

  5. To exclude specific users, and groups from the BigQuery, set the following properties.

    • Users to be ignored by access control policies : test_user1
    • Groups to be ignored by access control policies : test_group1

  6. Enable Set access control policies only on the users from managed groups if you want to manage only the users that are members of groups specified by Groups to manage access control policies. Default value is false.

  7. Click SAVE to apply the changes.

Update Configuration File Modify the following property in the vars.connector.bigquery.yml file located in the connector’s instance directory.

YAML
1
2
3
4
5
6
7
CONNECTOR_BIGQUERY_MANAGE_USER_LIST: "privacera_user1, privacera_user2"
CONNECTOR_BIGQUERY_MANAGE_GROUP_LIST: "privacera_group1, privacera_test_group_*"
CONNECTOR_BIGQUERY_MANAGE_ROLE_LIST: "privacera_role1, privacera_test_role_*"

CONNECTOR_BIGQUERY_IGNORE_USER_LIST: "test_user1"
CONNECTOR_BIGQUERY_IGNORE_GROUP_LIST: "test_group1"
CONNECTOR_BIGQUERY_IGNORE_ROLE_LIST: "test_role1"
You can set the MANAGE list to include users, groups, or roles from Privacera to be managed by the connector. The IGNORE list will exclude users, groups, or roles from being managed by the connector. The following are the rules for the values you can set:

Save the file and update the privacera manager

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh update

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Users to Set Access Control Policies : user1
    • Groups to Set Access Control Policies : group1
    • Users to be Ignored by Access Control Policies : test_user1
    • Groups to be Ignored by Access Control Policies : test_group1
    • Set Access Control Policies Only on Users from Managed Groups : Enable to specify whether to manage only the users that are members of groups specified by Groups to set access control policies. Default value is false.

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Text Only
1
Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments