Skip to content

Ranger Tag-Based Masking in BigQuery

This guide explains how to configure and use Ranger tag-based masking in the BigQuery Connector. It applies to Ranger-managed tags (not service tags), where Privacera/Ranger serves as the single source of truth.

Alternative Approach

This document explains Ranger Tag-Based Masking. If you prefer to use BigQuery's native service tags, see Native Tag Masking in BigQuery for details on the alternative approach.

BigQuery supports two approaches for tag-based masking:

  • Service Tags: Tags are created and managed directly in BigQuery and automatically synchronized with Privacera. This approach requires manual configuration in BigQuery and offers limited flexibility compared to Ranger-managed tags.

  • Ranger Tags: Tags are created and managed entirely within Privacera. The connector automatically handles BigQuery policy tag creation, taxonomy management, and column associations. This approach provides full control and eliminates the need for manual configuration in BigQuery.

Overview

Introduction

Ranger tag-based masking with Privacera allows administrators to define and manage tags directly in Privacera, while the connector automatically synchronizes them with BigQuery. This ensures that Privacera/Ranger remains the single source of truth for masking and access control policies, providing centralized governance and consistency.

Key benefits:

  • Maintain full control over tag definitions in Privacera.
  • Automatically create BigQuery policy tags, taxonomy, and column associations.
  • Simplify management by eliminating manual setup in BigQuery.

Comparison: Service Tags vs. Ranger Tags

Feature Service Tags Ranger Tags
Source of Truth BigQuery (tags synchronized from BigQuery) Privacera/Ranger (tags created in Privacera)
Tag Management Read-only, synchronized from BigQuery Full control within Privacera
Policy Tag Creation Manual in BigQuery Connector creates policy tags, and column associations automatically
Tag Attributes Limited to BigQuery taxonomy Custom attributes (e.g., taxonomyId, project)
Configuration USE_SERVICE_TAGS=true USE_SERVICE_TAGS=false
Policy Flexibility Based on BigQuery taxonomy hierarchy Flexible, custom tag definitions

Configuration Requirements

By default, the BigQuery connector is configured to use service tags (USE_SERVICE_TAGS=true). To enable Ranger tag-based masking, you must disable service tags by setting USE_SERVICE_TAGS=false. The exact configuration steps depend on your deployment type.

Important

Ensure service tags are properly disabled. If not, you may encounter policy conflicts or unexpected behavior.

Configuration Steps

  1. In the Self-Managed Portal, navigate to SettingsApplications.
  2. On the Connected Applications screen, select BigQuery.
  3. Edit the application (click the pen icon or Account Name).
  4. Navigate to Access ManagementADVANCED tab.
  5. Add the following property under Add New Custom Properties:
    Bash
    ranger.policysync.connector.0.use.service.tags=false

  6. Click SAVE.

    Configuration Update

    The connector will automatically restart after saving the application configuration.

  1. SSH to the instance where Privacera Manager is installed.

  2. Open the connector configuration file:

    Bash
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

    Note

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

  3. Add or update the property:

    YAML
    USE_SERVICE_TAGS: "false"

  4. Once the property have been configured, execute the following commands to update your Privacera Manager platform instance:
    Bash
    cd ~/privacera/privacera-manager
./privacera-manager.sh update
  1. In PrivaceraCloud portal, navigate to SettingsApplications.
  2. On the Connected Applications screen, select BigQuery.
  3. Edit the application (click the pen icon or Account Name).
  4. Navigate to Access ManagementADVANCED tab.
  5. Add the following property under Add New Custom Properties:
    Bash
    ranger.policysync.connector.0.use.service.tags=false

  6. Click SAVE.

    Configuration Update

    The connector will automatically restart after saving the application configuration.

Prerequisites

  • BigQuery connector installed and running.
  • Service tags disabled (USE_SERVICE_TAGS=false). See Configuration Requirements for setup instructions.
  • Row filter and masking setup completed Native Row Filter and Tag Masking Setup.
  • BigQuery Policy Tag Taxonomy: A policy tag taxonomy must exist in BigQuery before creating Ranger tags. The connector will create policy tags within this taxonomy automatically, but the taxonomy itself must be pre-created in BigQuery.

Tag Naming Requirements

When creating Ranger tags for BigQuery, follow these naming conventions:

  • Tag names must be unique within your Privacera environment
  • Use descriptive names that clearly identify the purpose (e.g., customer_pii_tag, financial_data_tag)
  • Avoid special characters that might cause issues with BigQuery policy tag creation
  • Consider including project context in the name for better organization (e.g., project_name_data_type_tag)

Sample Names

The examples in this guide use sample names like forward_camera_182345_priv_tag_id for demonstration purposes. Use meaningful names that reflect your actual data classification needs.

Required Fields for BigQuery Tag Creation

When creating Ranger tags for BigQuery, you must configure the following required fields:

Field Type Description Example Source
Tag Name String Unique identifier for the tag in Privacera customer_pii_tag User-defined
taxonomyId Integer BigQuery policy tag taxonomy ID where the tag will be created 12345678 From BigQuery Console
project String BigQuery project name where the taxonomy exists my-gcp-project From BigQuery Console
Service String Privacera service name for BigQuery privacera_bigquery Fixed value
Resource Type String Type of BigQuery resource being tagged column, table, dataset User-selected
Resource Values String Specific resource identifiers project.dataset.table.column User-defined

Use Cases

Applying Ranger Tag-Based Masking Policy for End User

This guide outlines the steps to create Ranger tag-based masking policies in Privacera using traditional Ranger tags with custom attributes.

Scenario

  • Project: forward-camera-182345
  • Dataset: test_db
  • Table: test_data
  • Policy Tag Taxonomy ID: 12345678 (sample ID - see Required Fields for details)
  • Tag Name: forward_camera_182345_priv_tag_id (sample name)
  • Users:
    • test_user1 (masked access),
    • test_user2 (unmasked access)

Step 1: Create Tag Definition

  1. In Privacera Portal, navigate to Access ManagementTag Management then click Create Tag.
  2. Configure the tag:
    • Tag Name: forward_camera_182345_priv_tag_id
    • Add Tag Attribute Definitions:
      • taxonomyId (int): BigQuery policy tag taxonomy ID where the policy tag will be created. This must be a valid taxonomy ID from your BigQuery project.
      • project (string): BigQuery project name where the taxonomy exists. This should match the project where your BigQuery connector is configured.
  3. Click SAVE.

Create Tag

Step 2: Create Tag Resource Mapping

  1. In Tag Management, go to RANGER TAGGED RESOURCESTag Resource.

  2. Configure the following settings:

    • Service: privacera_bigquery
    • Tag: forward_camera_182345_priv_tag_id
    • Resource Type: Select the appropriate resource type, then specify values for project, dataset, table, and column.
    • taxonomyId: 12345678 (must match the taxonomyId from Step 1)

    • project: forward-camera-182345 (must match the project from Step 1)

      Note

      Ensure that both taxonomyId and project values match those defined in Step 1 and correspond to the same project location where the BigQuery connector is configured. The connector will create policy tags under the specified taxonomy in the specified project.

  3. Click SAVE.

Create Tag

After Mapping

Once a tag is mapped to a column, users cannot query that specific tagged column unless one of the following policies is configured:

  • Tag-Based Masking Policy: Grants masked access to the tagged column (users can query the table but see obfuscated values for the tagged column).
  • Tag-Based Access Policy: Grants unmasked/full access to the tagged column (users can query the table and see original values for the tagged column).

Policy Requirements for Tagged Columns

  • For tagged columns: You must use either a Tag-Based Masking Policy or Tag-Based Access Policy
  • For table access: Resource-Based Access Policies are still required for general table access (SELECT, etc.)
  • Combined approach: You need both Resource-Based Policies (for table access) AND Tag-Based Policies (for tagged column access)

Tip

Without either a tag-based masking policy or a tag-based access policy, users will receive access denied errors when attempting to query tables with tagged columns, even if they have resource-based access to the table.

Step 3: Create Resource-Based Access Policies

Job Creation Policy
  1. Login to Privacera Portal.
  2. Navigate to Access ManagementResource PoliciesBigQuery connector.
  3. Under Access tab, click on ADD NEW POLICY.
  4. Create Resource-Based Policy:
    • Policy Type: Access Policy
    • Policy Name: Provide name for the access policy e.g. Job Create for Users.
    • Project ID: Provide project id e.g. forward-camera-182345.
    • Dataset Name: Select as none.
    • Select User: Assign appropriate users e.g. test_user1, test_user2.
    • Permissions: Provide Job Create permission.
  5. Click SAVE.
Query Access Policy

Create another resource-based policy for Query permission on table resource.

  • Policy Type: Access Policy
  • Policy Name: Provide name for the access policy e.g. Table Level Select.
  • Project ID: Provide project name e.g. forward-camera-182345
  • Dataset Name: test_db
  • Table Name: customer_data
  • Select User: Assign appropriate users e.g. test_user1, test_user2.
  • Permissions: Provide Query permission.
  • Click SAVE.

Step 4: Create Tag-Based Masking Policy

  1. In Privacera Portal, navigate to Access ManagementTag Policiesprivacera_tag.
  2. Under MASKING tab, click ADD NEW POLICY.
  3. Configure masking policy:
    • Policy Type: Masking
    • Policy Name: Provide name for the masking policy e.g. Tag based masking policy.
    • TAG: Select required tag from the drop-down e.g.forward_camera_182345_priv_tag_id.
    • Select User: Assign appropriate user e.g. test_user1.
    • Component Permissions: bigquery
    • Select Masking Option: Select desired masking option e.g. Nullify.
  4. Click SAVE.

Step 5: Create Tag-Based Access Policy

Create another tag-based access policy for Query permission.

  1. In Tag Policies, under ACCESS tab, click ADD NEW POLICY.
  2. Configure access policy:
    • Policy Type: Tag-Based Access Policy
    • Policy Name: Provide name for the access policy e.g. Tag based column access policy.
    • Tag: forward_camera_182345_priv_tag_id
    • Select User: Assign appropriate user e.g. test_user2.
    • Component Permissions: Select component as bigquery and permissions as query.
  3. Click SAVE.

⚠ Limitations

  1. Access Denied After Tag Resource Mapping:

    • Users cannot query tagged columns unless they are explicitly granted access through a tag-based masking policy or a tag-based access policy for the specific tag.

      Note

      Tag-based policies control access to the tagged column specifically, not the table itself. Without either tag-based policy, all users will receive access denied errors when querying tables with tagged columns, even if they have resource-based access to the table.

    • Refer BigQuery Column-Level Security for more details.

  2. Service Tags Compatibility:

    • Ranger tag-based masking and service tags cannot be used together.
    • Ensure USE_SERVICE_TAGS=false is configured.
    • Switching between Service tags and Ranger tags requires connector restart.

  3. Tag Attribute Management:

    • Custom tag attributes like taxonomyId and project must be accurate.
    • Incorrect values may cause policy sync failures.

  4. Location Support in Connector's Configuration:

    • BigQuery resources and taxonomies can be created across various locations. However, the PolicySync connector currently supports access control management for resources within a single location.
    • The connector does not support the management of resources across multiple locations concurrently.
    • Ensure that your BigQuery taxonomy and all resources you want to tag are in the same location as your connector configuration.