Access management for AD users and groups¶
This page describes optional Microsoft SQL Server PolicySync settings used when principals are backed by Active Directory (or similar)—especially multiple database connections, direct permissions on principals, and principal naming (case and special characters). It does not replace the main MSSQL access setup; use it when your deployment needs the behaviors below.
You can apply these settings in either of these ways:
- Self Managed (YAML / Data Plane): set variables in
vars.connector.mssql.yml(see Configuration). - PrivaceraCloud: add custom PolicySync properties in the MSSQL application (see the PrivaceraCloud tab under Configuration).
Unless noted, flag-style YAML properties default to false when omitted. The Ranger service name defaults to mssql (see below).
Ranger service definition¶
PolicySync must use the Ranger service definition that matches your SQL Server version and deployment. By default the connector uses the mssql service definition.
To configure the connector for SQL Server 2019 and earlier (the privacera_mssql_19 service definition), update the following property in vars.connector.mssql.yml:
| YAML | |
|---|---|
For more on how this relates to native masking and unmasking scope, see Native Masking and Unmasking Types.
PrivaceraCloud equivalent :
| Properties | |
|---|---|
Omit this property when using the default mssql Ranger service definition.
Multiple database connections and apply permissions on principals¶
Use these two properties together when the connector must work across multiple databases and masking must be applied on principals.
Requirements for multi-database masking
When CONNECTOR_MSSQL_USE_MULT_DB_CONNECTION is true:
CONNECTOR_MSSQL_APPLY_PERMISSIONS_DIRECTLY_ON_PRINCIPALSmust also betrue.CONNECTOR_MSSQL_MANAGE_USERS,CONNECTOR_MSSQL_MANAGE_GROUPS, andCONNECTOR_MSSQL_MANAGE_ROLESmust befalse(they default totrue). PolicySync must not manage SQL users, groups, or roles in this mode.
| YAML | |
|---|---|
CONNECTOR_MSSQL_USE_MULT_DB_CONNECTION— Enables the connector to use multiple database connections. Default isfalse.CONNECTOR_MSSQL_APPLY_PERMISSIONS_DIRECTLY_ON_PRINCIPALS— Applies permissions directly on principals instead of using Privacera’s role-based model (database roles aligned with principal names). Default isfalse.
PrivaceraCloud equivalents (replace 0 with your PolicySync connector index if needed):
| Properties | |
|---|---|
Disable Privacera management of users, groups, and roles¶
When multiple database connections are enabled, these properties must be false. By default they are true (PolicySync manages SQL users, groups, and roles); that behavior is not valid together with multi-database mode—the connector must not create or manage those principals in SQL Server when CONNECTOR_MSSQL_USE_MULT_DB_CONNECTION is true.
| YAML | |
|---|---|
PrivaceraCloud equivalents:
| Properties | |
|---|---|
Persist case sensitivity for principal names¶
Set persist case sensitivity to true for users, groups, and roles so names keep the same casing as in Active Directory and SQL Server, avoiding mismatches when applying policies. This is recommended when using AD-linked principals together with multi-database or direct-on-principal masking (see above).
| YAML | |
|---|---|
PrivaceraCloud equivalents:
| Properties | |
|---|---|
Allow @, /, and . in user, group, and role names¶
By default, the connector uses a replace-from regex that treats many special characters as invalid for principal names and replaces them with _. The default pattern is roughly:
| Text Only | |
|---|---|
To allow @, /, and . in names (for example, UPN-style users and group paths), use a narrower regex that omits those characters from the class, and set the replace-to string to _ for everything that still matches. Apply the same idea for users, groups, and roles.
PrivaceraCloud equivalents (same character class as the YAML example—/, @, and . are not replaced):
Regex and YAML escaping
If your deployment needs different characters allowed or disallowed, adjust the character class only after validating the pattern in your environment. In vars.connector.mssql.yml, escape backslashes as needed inside double-quoted strings.
Load only masking ACLs¶
To load only masking-related ACLs and not access-control ACLs, set:
| YAML | |
|---|---|
Default is false. Use this when you want PolicySync to synchronize masking policies without loading broader access-control ACLs.
PrivaceraCloud equivalent (custom property):
| Properties | |
|---|---|
Set to false to load access-control ACLs as well (default behavior).
Configuration¶
-
SSH to the instance where Privacera Manager is installed.
-
Open the connector variables file:
If you have multiple connectors, replace
instance1with the appropriate connector instance name.Bash -
Add or update only the properties you need. Example (enable only what applies):
-
Run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
-
In the PrivaceraCloud portal, go to Settings → Applications.
-
On Connected Applications, select MSSQL and open the application for edit.
-
Go to Access Management → ADVANCED.
-
Under Add New Custom Properties, add the PolicySync properties you need. Example (adjust
true/falseand omit lines you do not use):Multi-database masking
If
ranger.policysync.connector.0.use.mult.db.connectionistrue:ranger.policysync.connector.0.apply.permissions.directly.on.principalsmust also betrue.manage.service.user,manage.service.group, andmanage.service.rolemust befalse.
-
Click SAVE to apply the changes.
- Prev topic: Advanced Configuration