Skip to content

Secure View Row Filter and Masking

Privacera offers the option to use Secure Views to enforce security measures. When enabled, Privacera creates Secure Views on top of the original tables and applies Row-Level Filtering (RLF) and column-level masking policies to these views. These policies are dynamically enforced when a user queries the Secure View.

Configuration Steps

Note

By deafult, Native Tag Based column masking and row filter policies are enabled. You must disable them to use Secure Views.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Enforce masking policies using secure views: Enable if you want to enforce masking policies using secure views.
    • Enforce row filter policies using secure views: Enable if you want to enforce row filter policies using secure views.
    • Create secure view for all tables/views: Enable if you want to create secure views for all tables and views, regardless of existing masking or row filter policies.
    • Default masked value for int64 datatype columns : Specifies the masking value used for numeric data types. E.g. 0
    • Default masked value for string datatype columns : Specifies the masking value used for text or string data types. E.g. <MASKED>

    • Enable dataadmin: Enables the Data Admin feature, This is disabled by default.

    • How column level access should be handled: To use Secure Views for column-level access control, Change the value to view, The default value is none.

  5. Under the ADVANCED tab, disable the following options:

    • Enforce bigquery native row filter: Disable this option if you want to use Secure Views for row filtering instead of the native BigQuery row filter functionality, which is enabled by default.
    • Enforce bigquery native tag masking: Disable this option if you want to use Secure Views for tag-based column masking instead of the native BigQuery tag masking functionality, which is enabled by default.

  6. Click SAVE to apply the changes.

The following properties define how access control mechanisms are managed within BigQuery:

  1. CONNECTOR_BIGQUERY_ENABLE_ROW_FILTER

    • Description: Enables native BigQuery row filters.
    • Recommended Setting: false

  2. CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_MASKING

    • Description: Enables masking policies using secure views.

    • Recommended Setting: true

      GBQ support native tag based masking. we recommend as "true" as this is secure section.

  3. CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER

    • Description: Enables row filter policies using secure views.
    • Recommended Setting: true

  4. CONNECTOR_BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL

    • Description: Creates secure views for all tables and views, regardless of existing masking or row filter policies.
    • Recommended Setting: false

Modify the following properties in the vars.connector.bigquery.yml file located in the instance directory of the connector.

YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Enable native BigQuery row filters
CONNECTOR_BIGQUERY_ENABLE_ROW_FILTER: "false"

# Enable native BigQuery tag masking
ENABLE_TAG_MASKING: "false"

# Enable view-based masking for BigQuery
CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_MASKING: "true"

# Enable view-based row filters for BigQuery
CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER: "true"

# Create secure views for all tables and views, regardless of policies
CONNECTOR_BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL: "false"

Save the file and update the privacera manager

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh update

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Enforce Masking Policies Using Secure Views : Specifies whether to use secure view-based masking. Default value is true.
    • Default Masking Value for Numeric Datatype : Specifies the masking value used for numeric data types.
    • Default Masking Value for Text/String Datatype : Specifies the masking value used for text or string data types.
    • Enforce Row Filter Policies Using Secure Views : Specifies whether to use secure view-based row filtering. Default value is true.

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Text Only
1
Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments