Configure Principal Attribute Based Flattening¶
This property controls when role or group-based conditional policies are flattened to user-based policies based on the type of macros used in policy conditions and expressions.
Overview¶
By default, when conditional policies are assigned to roles or groups, they are typically flattened to individual users for evaluation. This property changes this behavior based on whether the policy conditions or expressions contain user-based macros or tag-based macros.
Behavior¶
-
When policy conditions or expressions contain only tag-based macros: Role or group-based policies are not flattened to user-based policies. They are applied directly to the role or group based on the evaluation result of the conditional expression.
-
When policy conditions or expressions contain user-based macros: Role or group-based policies are flattened to user-based policies. They are applied to individual users based on the evaluation result of the conditional expression, as the connector normally behaves.
Policy Types Affected¶
This property affects the following policy types:
1. Access, Masking, and Row Filter Policies with Conditions¶
- Tag-based macros only: Policies remain at role/group level
- User-based macros present: Policies flatten to user level
2. Masking Policies with Custom Masking Values¶
- Tag-based macros only in custom mask value: Policies remain at role/group level
- User-based macros present in custom mask value: Policies flatten to user level
3. Row Filter Policies with Filter Expressions¶
- Tag-based macros only in filter expression: Policies remain at role/group level
- User-based macros present in filter expression: Policies flatten to user level
Configuration¶
-
Navigate to Settings → Applications in the Self-Managed Portal.
-
From the list of Connected Applications, select Snowflake.
-
Click on the application name or the icon to edit. Then, go to the Access Management tab.
-
Under Add New Custom Properties, add the following property:
Bash -
Click SAVE to apply the changes.
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to open the
.ymlfile to be edited.If you have multiple connectors, then replace
instance1with the appropriate connector instance name.Bash -
Add the following property:
YAML -
Once the property is configured, run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
-
In PrivaceraCloud portal, navigate to Settings -> Applications.
-
On the Connected Applications screen, select Snowflake.
-
Click on the application name or the icon to edit. Then, go to the Access Management tab.
-
Under Add New Custom Properties, add the following property:
Bash -
Click SAVE to apply the changes.
Examples¶
Example 1: Policy with Tag-Based Macros Only¶
Policy Condition:
| Text Only | |
|---|---|
Behavior: The policy remains at the role/group level and is not flattened to individual users.
Example 2: Policy with User-Based Macros¶
Policy Condition:
| Text Only | |
|---|---|
Behavior: The policy is flattened to user level and applied to individual users.
Example 3: Mixed Macros¶
Policy Condition:
| Text Only | |
|---|---|
Behavior: Since user-based macros are present, the policy is flattened to user level.
- Prev topic: Advanced Configuration