Skip to content

Enable Native Support

Privacera supports native column masking and row-level filtering policies for Microsoft SQL Server. This capability allows data access policies to be enforced using SQL Server’s native features instead of secure views, when the connector is configured accordingly.

Note

Secure view-based enforcement is enabled by default. To use native masking and row-level filtering, enable the native options below and disable the secure view settings that would otherwise take precedence.

Configuration

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/mssql/instance1/vars.connector.mssql.yml

  3. Enable native support by setting the following properties to true:

    YAML
    1
2
    CONNECTOR_MSSQL_ENABLE_ROW_FILTER: "true"
CONNECTOR_MSSQL_ENABLE_MASKING: "true"

  4. Disable secure view-based policies by setting the following properties to false:

    YAML
    1
2
3
4
    CONNECTOR_MSSQL_ENABLE_VIEW_BASED_MASKING: "false"
CONNECTOR_MSSQL_ENABLE_VIEW_BASED_ROW_FILTER: "false"
CONNECTOR_MSSQL_SECURE_VIEW_CREATE_FOR_ALL: "false"
CONNECTOR_MSSQL_ENABLE_DATA_ADMIN: "false"
    Ranger PolicySync equivalents

    If you use PolicySync configuration or a *.properties file instead of the YAML variables above, set the following properties so native masking and row filtering match that setup.

    Properties
    1
2
3
4
5
6
    ranger.policysync.connector.0.enable.row.filter=true
ranger.policysync.connector.0.enable.masking=true
ranger.policysync.connector.0.enable.view.based.row.filter=false
ranger.policysync.connector.0.enable.view.based.masking=false
ranger.policysync.connector.0.secure.view.create.for.all=false
ranger.policysync.connector.0.enable.dataadmin=false

  5. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select MSSQL.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. Under ADVANCED tab, ensure the following options are enabled:

    • Enforce native column masking: Enables native column masking.
    • Enforce native row filter policies: Enables native row-level filtering.

  5. Under ADVANCED tab, ensure the following secure view options are disabled when using native enforcement:

    • Enforce masking policies using secure views: Disable this option if you want to use native masking instead of secure views.
    • Enforce row filter policies using secure views: Disable this option if you want to use native row filter instead of secure views.
    • Create secure view for all tables/views: Disable this option if you want to use native enforcement for all tables and views instead of secure views.
    • Enable dataadmin: Disable this option when you are not using secure views for enforcement.

  6. Click SAVE to apply the changes.