Skip to content

Secure View Row Filter and Masking

Privacera has an option to use Secure Views to enforce these security measures. With this option enabled, Privacera creates Secure Views on top of the original tables and applies RLS and column-level masking policies to these views. When a user queries the Secure View, these policies are dynamically enforced.

Configuration Steps

The following properties define how access control mechanisms are managed within BigQuery:

  1. CONNECTOR_BIGQUERY_ENABLE_ROW_FILTER

    • Description: Enables native BigQuery row filters.
    • Recommended Setting: false

  2. CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_MASKING

    • Description: Enables masking policies using secure views.

    • Recommended Setting: true

      GBQ support native tag based masking. we recommend as "true" as this is secure section.

  3. CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER

    • Description: Enables row filter policies using secure views.
    • Recommended Setting: true

  4. CONNECTOR_BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL

    • Description: Creates secure views for all tables and views, regardless of existing masking or row filter policies.
    • Recommended Setting: false

Modify the following properties in the vars.connector.bigquery.yml file located in the instance directory of the connector.

YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Enable native BigQuery row filters
CONNECTOR_BIGQUERY_ENABLE_ROW_FILTER: "false"

# Enable native BigQuery tag masking
ENABLE_TAG_MASKING: "false"

# Enable view-based masking for BigQuery
CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_MASKING: "true"

# Enable view-based row filters for BigQuery
CONNECTOR_BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER: "true"

# Create secure views for all tables and views, regardless of policies
CONNECTOR_BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL: "false"

Save the file and update the privacera manager

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh update

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. On the Applications screen, select BigQuery.

  3. Enter the application Name and Description. Click Save. Name could be any name of your choice. E.g. BigQuery Connector for account 123456.

  4. Open the BigQuery application.

  5. Enable the Access Management option with toggle button.

  6. Under the ADVANCED tab, enter the values for:

    • Enforce Masking Policies Using Secure Views : Specifies whether to use secure view-based masking. Default value is true.
    • Default Masking Value for Numeric Datatype : Specifies the masking value used for numeric data types.
    • Default Masking Value for Text/String Datatype : Specifies the masking value used for text or string data types.
    • Enforce Row Filter Policies Using Secure Views : Specifies whether to use secure view-based row filtering. Default value is true.

  7. Click SAVE.

  8. The configured BigQuery connector appears under Applications.

  9. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Text Only
1
Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments