- Welcome to Privacera
- Introduction to Privacera
- Governed Data Stewardship
- Concepts in Governed Data Stewardship
- Prerequisites and planning
- Tailor Governed Data Sharing
- Overview to examples by role
- PrivaceraCloud setup
- PrivaceraCloud data access methods
- Create PrivaceraCloud account
- Log in to PrivaceraCloud with or without SSO
- Connect applications to PrivaceraCloud
- Connect applications to PrivaceraCloud with the setup wizard
- Connect Azure Data Lake Storage Gen 2 (ADLS) to PrivaceraCloud
- Connect Amazon Textract to PrivaceraCloud
- Connect Athena to PrivaceraCloud
- Connect AWS Lake Formation on PrivaceraCloud
- Get started with AWS Lake Formation
- Create IAM Role for AWS Lake Formation connector
- Connect AWS Lake Formation application on PrivaceraCloud
- Create AWS Lake Formation connectors for multiple AWS regions
- Configuring audit logs for the AWS Lake Formation on PrivaceraCloud
- How to validate a AWS Lake Formation connector
- AWS Lake Formation FAQs for Pull mode
- AWS Lake Formation FAQs for Push mode
- Azure Data Factory Integration with Privacera Enabled Databricks Cluster
- Connect Google BigQuery to PrivaceraCloud
- Connect Cassandra to PrivaceraCloud for Discovery
- Connect Databricks to PrivaceraCloud
- Connect Databricks SQL to PrivaceraCloud
- Connect Databricks to PrivaceraCloud
- Configure Databricks SQL PolicySync on PrivaceraCloud
- Databricks SQL fields on PrivaceraCloud
- Databricks SQL Masking Functions
- Connect Databricks SQL to Hive policy repository on PrivaceraCloud
- Enable Privacera Encryption services in Databricks SQL on PrivaceraCloud
- Example: Create basic policies for table access
- Connect Databricks Unity Catalog to PrivaceraCloud
- Enable Privacera Access Management for Databricks Unity Catalog
- Enable Data Discovery for Databricks Unity Catalog
- Databricks Unity Catalog connector fields for PolicySync on PrivaceraCloud
- Configure Audits for Databricks Unity Catalog on PrivaceraCloud
- Databricks Partner Connect - Quickstart for Unity Catalog
- Connect Dataproc to PrivaceraCloud
- Connect Dremio to PrivaceraCloud
- Connect DynamoDB to PrivaceraCloud
- Connect Elastic MapReduce from Amazon application to PrivaceraCloud
- Connect EMR application
- EMR Spark access control types
- PrivaceraCloud configuration
- AWS IAM roles using CloudFormation setup
- Create a security configuration
- Create EMR cluster
- Kerberos required for EMR FGAC or OLAC
- Create EMR cluster using CloudFormation setup (Recommended)
- Create EMR cluster using CloudFormation EMR templates
- EMR template: Spark_OLAC, Hive, Trino (for EMR versions 6.4.0 and above)
- EMR Template for Multiple Master Node: Spark_OLAC, Hive, Trino (for EMR version 6.4.0 and above)
- EMR template: Spark_OLAC, Hive, PrestoSQL (for EMR versions 6.x to 6.3.1)
- EMR template: Spark_FGAC, Hive, Trino (for EMR versions 6.4.0 and above)
- EMR Template for Multiple Master Node: Spark_FGAC, Hive, Trino (for EMR version 6.4.0 and above)
- EMR template: Spark_FGAC, Hive, PrestoSQL (for EMR versions 6.x to 6.3.1)
- Create EMR cluster using CloudFormation AWS CLI
- Create CloudFormation stack
- Create EMR cluster using CloudFormation EMR templates
- Manually create EMR cluster using AWS EMR console
- EMR Native Ranger Integration with PrivaceraCloud
- Connect EMRFS S3 to PrivaceraCloud
- Connect Files to PrivaceraCloud
- Connect Google Cloud Storage to PrivaceraCloud
- Connect Glue to PrivaceraCloud
- Connect Kinesis to PrivaceraCloud
- Connect Lambda to PrivaceraCloud
- Connect MS SQL to PrivaceraCloud
- Connect MySQL to PrivaceraCloud for Discovery
- Connect Open Source Apache Spark to PrivaceraCloud
- Connect Oracle to PrivaceraCloud for Discovery
- Connect PostgreSQL to PrivaceraCloud
- Connect Power BI to PrivaceraCloud
- Connect Presto to PrivaceraCloud
- Connect Redshift to PrivaceraCloud
- Redshift Spectrum PrivaceraCloud overview
- Connect Snowflake to PrivaceraCloud
- Starburst Enterprise with PrivaceraCloud
- Connect Starbrust Trino to PrivaceraCloud
- Connect Starburst Enterprise Presto to PrivaceraCloud
- Connect Synapse to PrivaceraCloud
- Connect S3 to PrivaceraCloud
- Connect Trino to PrivaceraCloud
- Starburst Trino and Trino SQL command permissions
- Starburst Trino and Trino SQL command permissions - Iceberg connector
- Connect Vertica to PrivaceraCloud
- Manage applications on PrivaceraCloud
- Connect users to PrivaceraCloud
- Data sources on PrivaceraCloud
- PrivaceraCloud custom configurations
- Access AWS S3 buckets from multiple AWS accounts on PrivaceraCloud
- Configure multiple JWTs for EMR
- Access cross-account SQS queue for PostgreSQL audits on PrivaceraCloud
- AWS Access with IAM role on PrivaceraCloud
- Databricks cluster deployment matrix with Privacera plugin
- Whitelist py4j security manager via S3 or DBFS
- General functions in PrivaceraCloud settings
- Cross account IAM role for Databricks
- Operational status of PrivaceraCloud and RSS feed
- Troubleshooting the Databricks Unity Catalog tutorial
- Privacera Platform installation
- Plan for Privacera Platform
- Privacera Platform overview
- Privacera Platform installation overview
- Privacera Platform deployment size
- Privacera Platform installation prerequisites
- Choose a cloud provider
- Select a deployment type
- Configure proxy for Privacera Platform
- Prerequisites for installing Privacera Platform on Kubernetes
- Default Privacera Platform port numbers
- Required environment variables for installing Privacera Platform
- Privacera Platform system requirements for Azure
- Prerequisites for installing Privacera Manager on AWS
- Privacera Platform system requirements for Docker in GCP
- Privacera Platform system requirements for Docker in AWS
- Privacera Platform system requirements for Docker in Azure
- Privacera Platform system requirements for Google Cloud Platform (GCP)
- System requirements for Privacera Manager Host in GKE
- System requirements for Privacera Manager Host in EKS
- System requirements for Privacera Manager Host in AKS
- Install Privacera Platform
- Download the Privacera Platform installation packages
- Privacera Manager overview
- Install Privacera Manager on Privacera Platform
- Install Privacera Platform using an air-gapped install
- Upgrade Privacera Manager
- Troubleshoot Privacera Platform installation
- Validate Privacera Platform installation
- Common errors and warnings in Privacera Platform YAML config files
- Ansible Kubernetes Module does not load on Privacera Platform
- Unable to view Audit Fluentd audits on Privacera Platform
- Unable to view Audit Server audits on Privacera Platform
- No space for Docker images on Privacera Platform
- Unable to see metrics on Grafana dashboard
- Increase storage for Privacera PolicySync on Kubernetes
- Permission denied errors in PM Docker installation
- Non-portal users can access restricted Privacera Platform resources
- Storage issue in Privacera Platform UserSync and PolicySync
- Privacera Manager not responding
- Unable to Connect to Docker
- Privacera Manager unable to connect to Kubernetes Cluster
- Unable to initialize the Discovery Kubernetes pod
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- 6.5 Platform Installation fails with invalid apiVersion
- Database lockup in Docker
- Remove the WhiteLabel Error Page on Privacera Platform
- Unable to start the Privacera Platform portal service
- Connect portal users to Privacera Platform
- Connect Privacera Platform portal users from LDAP
- Set up portal SSO for Privacera Platform with OneLogin using SAML
- Set up portal SSO for Privacea Platform with Okta using SAML
- Set up portal SSO for Privacera Platform with Okta using OAuth
- Set up portal SSO for Privacera Platform with AAD using SAML
- Set up portal SSO for Privacera Platform with PingFederate
- Generate an Okta Identity Provider metadata file and URL
- Connect applications to Privacera Platform for Access Management
- Connect applications to Privacera Platform using the Data Access Server
- Data Access Server overview
- Integrate AWS with Privacera Platform using the Data Access Server
- Integrate GCS and GCP with Privacera Platform using the Data Access Server
- Integrate ADLS with Privacera Platform using the Data Access Server
- Access Kinesis with the Data Access Server on Privacera Platform
- Access Firehose with Data Access Server on Privacera Platform
- Use DynamoDB with Data Access Server on Privacera Platform
- Connect MinIO to Privacera Platform using the Data Access Server
- Use Athena with Data Access Server on Privacera Platform
- Custom Data Access Server properties
- Connect applications to Privacera Platform using the Privacera Plugin
- Overview of Privacera plugins for Databricks
- Connect AWS EMR with Native Apache Ranger to Privacera Platform
- Configure Databricks Spark Fine-Grained Access Control Plugin [FGAC] [Python, SQL]
- Configure Databricks Spark Object-level Access Control Plugin
- Connect Dremio to Privacera Platform via plugin
- Connect Amazon EKS to Privacera Platform using Privacera plugin
- Configure EMR with Privacera Platform
- EMR user guide for Privacera Platform
- Connect GCP Dataproc to Privacera Platform using Privacera plugin
- Connect Kafka datasource via plugin to Privacera Platform
- Connect PrestoSQL standalone to Privacera Platform using Privacera plugin
- Connect Spark standalone to Privacera Platform using the Privacera plugin
- Privacera Spark plugin versus Open-source Spark plugin
- Connect Starburst Enterprise to Privacera Platform via plugin
- Connect Starburst Trino Open Source to Privacera Platform via Plug-In
- Connect Trino Open Source to Privacera Platform via plugin
- Connect applications to Privacera Platform using the Data Access Server
- Configure AuditServer on Privacera Platform
- Configure Solr destination on Privacera Platform
- Enable Solr authentication on Privacera Platform
- Solr properties on Privacera Platform
- Configure Kafka destination on Privacera Platform
- Enable Pkafka for real-time audits in Discovery on Privacera Platform
- AuditServer properties on Privacera Platform
- Configure Fluentd audit logging on Privacera Platform
- Configure High Availability for Privacera Platform
- Configure Privacera Platform system security
- Privacera Platform system security
- Configure SSL for Privacera Platform
- Enable CA-signed certificates on Privacera Platform
- Enable self-signed certificates on Privacera Platform
- Upload custom SSL certificates on Privacera Platform
- Custom Crypto properties on Privacera Platform
- Enable password encryption for Privacera Platform services
- Authenticate Privacera Platform services using JSON Web Tokens
- Configure JSON Web Tokens for Databricks
- Configure JSON Web Tokens for EMR FGAC Spark
- Custom configurations for Privacera Platform
- Privacera Platform system configuration
- Add custom properties using Privacera Manager on Privacera Platform
- Privacera Platform system properties files overview
- Add domain names for Privacera service URLs on Privacera Platform
- Configure Azure PostgreSQL on Privacera Platform
- Spark Standalone properties on Privacera Platform
- AWS Data Access Server properties on Privacera Platform
- Add custom Spark configuration for Databricks on Privacera Platform
- Configure proxy for Privacera Platform
- Configure Azure MySQL on Privacera Platform
- System-level settings for Zookeeper on Privacera Platform
- Configure service name for Databricks Spark plugin on Privacera Platform
- Migrate Privacera Manager from one instance to another
- Restrict access in Kubernetes on Privacera Platform
- System-level settings for Grafana on Privacera Platform
- System-level settings for Ranger KMS on Privacera Platform
- Generate verbose logs on Privacera Platform
- System-level settings for Spark on Privacera Platform
- System-level settings for Azure ADLS on Privacera Platform
- Override Databricks region URL mapping for Privacera Platform on AWS
- Configure Privacera Platform system properties
- EMR custom properties
- Configure AWS Aurora DB (PostgreSQL/MySQL) on Privacera Platform
- Merge Kubernetes configuration files
- Scala Plugin properties on Privacera Platform
- System-level settings for Trino Open Source on Privacera Platform
- System-level settings for Kafka on Privacera Platform
- System-level settings for Graphite on Privacera Platform
- System-level settings for Spark plugin on Privacera Platform
- Create CloudFormation stack
- Configure pod topology for Kubernetes on Privacera Platform
- Configure proxy for Kubernetes on Privacera Platform
- Externalize access to Privacera Platform services with NGINX Ingress
- Custom Privacera Platform portal properties
- Add Data Subject Rights
- Enable or disable the Data Sets menu
- Kubernetes RBAC
- Spark FGAC properties
- Audit Fluentd properties on Privacera Platform
- Switch from Kinesis to Kafka for Privacera Discovery queuing on AWS with Privacera Platform
- Privacera Platform on AWS overview
- Privacera Platform Portal overview
- AWS Identity and Access Management (IAM) on Privacera Platform
- Set up AWS S3 MinIO on Privacera Platform
- Integrate Privacera services in separate VPC
- Install Docker and Docker compose (AWS-Linux-RHEL) on Privacera Platform
- Configure EFS for Kubernetes on AWS for Privacera Platform
- Multiple AWS accounts support in DataServer
- Multiple AWS S3 IAM role support in Data Access Server
- Enable AWS CLI on Privacera Platform
- Configure S3 for real-time scanning on Privacera Platform
- Multiple AWS account support in Dataserver using Databricks on Privacera Platform
- Enable AWS CLI
- AWS S3 Commands - Ranger Permission Mapping
- Plan for Privacera Platform
- How to get support
- Access Management
- Get started with Access Management
- Users, groups, and roles
- UserSync
- Add UserSync connectors
- UserSync connector properties on Privacera Platform
- UserSync connector fields on PrivaceraCloud
- UserSync system properties on Privacera Platform
- About Ranger UserSync
- Customize user details on sync
- UserSync integrations
- SCIM Server User-Provisioning on PrivaceraCloud
- Azure Active Directory UserSync integration on Privacera Platform
- LDAP UserSync integration on Privacera Platform
- Policies
- How polices are evaluated
- General approach to validating policy
- Resource policies
- About service groups on PrivaceraCloud
- Service/Service group global actions
- Create resource policies: general steps
- About secure database views
- PolicySync design on Privacera Platform
- PolicySync design and configuration on Privacera Platform
- Relationships: policy repository, connector, and datasource
- PolicySync topologies
- Connector instance directory/file structure
- Required basic PolicySync topology: always at least one connector instance
- Optional topology: multiple connector instances for Kubernetes pods and Docker containers
- Recommended PolicySync topology: individual policy repositories for individual connectors
- Optional encryption of property values
- Migration to PolicySync v2 on Privacera Platform 7.2
- Databricks SQL connector for PolicySync on Privacera Platform
- Databricks SQL connector properties for PolicySync on Privacera Platform
- Dremio connector for PolicySync on Privacera Platform
- Dremio connector properties for PolicySync on Privacera Platform
- Configure AWS Lake Formation on Privacera Platform
- Get started with AWS Lake Formation
- Create IAM Role for AWS Lake Formation connector for Platform
- Configure AWS Lake Formation connector on Privacera Platform
- Create AWS Lake Formation connectors for multiple AWS regions for Platform
- Setup audit logs for AWS Lake Formation on Platform
- How to validate a AWS Lake Formation connector
- AWS Lake Formation FAQs for Pull mode
- AWS Lake Formation FAQs for Push mode
- AWS Lake Formation Connector Properties
- Google BigQuery connector for PolicySync on Privacera Platform
- BigQuery connector properties for PolicySync on Privacera Platform
- Microsoft SQL Server connector for PolicySync on Privacera Platform
- Microsoft SQL connector properties for PolicySync on Privacera Platform
- PostgreSQL connector for PolicySync on Privacera Platform
- PostgreSQL connector properties for PolicySync on Privacera Platform
- Power BI connector for PolicySync
- Power BI connector properties for PolicySync on Privacera Platform
- Redshift and Redshift Spectrum connector for PolicySync
- Redshift and Redshift Spectrum connector properties for PolicySync on Privacera Platform
- Snowflake connector for PolicySync on Privacera Platform
- Snowflake connector properties for PolicySync on Privacera Platform
- PolicySync design and configuration on Privacera Platform
- Configure resource policies
- Configure ADLS resource policies
- Configure AWS S3 resource policies
- Configure Athena resource policies
- Configure Databricks resource policies
- Configure DynamoDB resource policies
- Configure Files resource policies
- Configure GBQ resource policies
- Configure GCS resource policies
- Configure Glue resource policies
- Configure Hive resource policy
- Configure Lambda resource policies
- Configure Kafka resource policies
- Configure Kinesis resource policies
- Configure MSSQL resource policies
- Configure PowerBI resource policies
- Configure Presto resource policies
- Configure Postgres resource policies
- Configure Redshift resource policies
- Configure Snowflake resource policies
- Configure Policy with Attribute-Based Access Control (ABAC) on PrivaceraCloud
- Attribute-based access control (ABAC) macros
- Configure access policies for AWS services on Privacera Platform
- Configure policy with conditional masking on Privacera Platform
- Create access policies for Databricks on Privacera Platform
- Order of precedence in PolicySync filter
- Example: Manage access to Databricks SQL with Privacera
- Service/service group global actions on the Resource Policies page
- Tag policies
- Policy configuration settings
- Security zones
- Manage Databricks policies on Privacera Platform
- Databricks Unity Catalog row filtering and native masking on PrivaceraCloud
- Use a custom policy repository with Databricks
- Configure policy with Attribute-Based Access Control on Privacera Platform
- Create Databricks policies on Privacera Platform
- Example: Create basic policies for table access
- Examples of access control via programming
- Secure S3 via Boto3 in Databricks notebook
- Other Boto3/Pandas examples to secure S3 in Databricks notebook with PrivaceraCloud
- Secure Azure file via Azure SDK in Databricks notebook
- Control access to S3 buckets with AWS Lambda function on PrivaceraCloud or Privacera Platform
- Service Explorer
- Audits
- Required permissions to view audit logs on Privacera Platform
- About PolicySync access audit records and policy ID on Privacera Platform
- View audit logs
- View PEG API audit logs
- Generate audit logs using GCS lineage
- Configure Audit Access Settings on PrivaceraCloud
- Configure AWS RDS PostgreSQL instance for access audits
- Accessing PostgreSQL Audits in Azure
- Accessing PostgreSQL Audits in GCP
- Configure Microsoft SQL server for database synapse audits
- Examples of audit search
- Reports
- Discovery
- Get started with Discovery
- Planning for Privacera Discovery
- Install and Enable Privacera Discovery
- Set up Discovery on Privacera Platform
- Set up Discovery on AWS for Privacera Platform
- Set up Discovery on Azure for Privacera Platform
- Set up Discovery on Databricks for Privacera Platform
- Set up Discovery on GCP for Privacera Platform
- Enable Pkafka for real-time audits in Discovery on Privacera Platform
- Customize topic and table names on Privacera Platform
- Enable Discovery on PrivaceraCloud
- Scan resources
- Supported file formats for Discovery Scans
- Privacera Discovery scan targets
- Processing order of scan techniques
- Register data sources on Privacera Platform
- Data sources on Privacera Platform
- Add a system data source on Privacera Platform
- Add a resource data source on Privacera Platform
- Add AWS S3 application data source on Privacera Platform
- Add Azure ADLS data source on Privacera Platform
- Add Databricks Spark SQL data source on Privacera Platform
- Add Google BigQuery (GBQ) data source on Privacera Platform
- Add Google Pub-Sub data source on Privacera Platform
- Add Google Cloud Storage data source on Privacera Platform
- Set up cross-project scanning on Privacera Platform
- Google Pub-Sub Topic message scan on Privacera Platform
- Add JDBC-based systems as data sources for Discovery on Privacera Platform
- Add and scan resources in a data source
- Start a scan
- Start offline and realtime scans
- Scan Status overview
- Cancel a scan
- Trailing forward slash (/) in data source URLs/URIs
- Configure Discovery scans
- Tags
- Add Tags
- Import Tags
- Add, edit, or delete Tag attributes
- Edit Tag descriptions
- Delete Tags
- Export Tags
- Search for Tags
- Fetch AWS S3 Tags
- Propagate Privacera Discovery Tags to Ranger
- TagSync using Apache Ranger on Privacera Platform
- Add Tags with Ranger REST API
- Dictionaries
- Types of dictionaries
- Dictionary Keys
- Manage dictionaries
- Default dictionaries
- Add a dictionary
- Import a dictionary
- Upload a dictionary
- Enable or disable a dictionary
- Include a Dictionary
- Exclude a dictionary
- Add keywords to an included dictionary
- Edit a dictionary
- Copy a dictionary
- Export a dictionary
- Search for a dictionary
- Test dictionaries
- Dictionary tour
- Patterns
- Models
- Rules
- Configure scans
- Scan setup
- Adjust default scan depth on Privacera Platform
- Classifications using random sampling on PrivaceraCloud
- Enable Discovery Realtime Scanning Using IAM Role on PrivaceraCloud
- Enable Real-time Scanning on ADLS Gen 2 on PrivaceraCloud
- Enable Real-time Scanning of S3 Buckets on PrivaceraCloud
- Connect ADLS Gen2 Application for Data Discovery on PrivaceraCloud
- Include and exclude resources in GCS
- Configure real-time scan across projects in GCP
- Enable offline scanning on ADLS Gen 2 on PrivaceraCloud
- Include and exclude datasets and tables in GBQ
- Google Sink to Pub/Sub
- Tags
- Data zones on Privacera Platform
- Planing data zones on Privacera Platform
- Data Zone Dashboard
- Enable data zones on Privacera Platform
- Add resources to a data zone on Privacera Platform
- Create a data zone on Privacera Platform
- Edit data zones on Privacera Platform
- Delete data zones on Privacera Platform
- Import data zones on Privacera Platform
- Export data zones on Privacera Platform
- Disable data zones on Privacera Platform
- Create tags for data zones on Privacera Platform
- Data zone movement
- Data zones overview
- Configure data zone policies on Privacera Platform
- Encryption for Right to Privacy (RTP) on Privacera Platform
- Workflow policy use case example
- Define Discovery policies on Privacera Platform
- Disallowed Groups policy
- Disallowed Movement Policy
- Compliance Workflow policies on Privacera Platform
- De-identification policy
- Disallowed Subnets Policy
- Disallowed Subnet Range Policy
- Disallowed Tags policy
- Expunge policy
- Disallowed Users Policy
- Right to Privacy policy
- Workflow Expunge Policy
- Workflow policy
- View scanned resources
- Discovery reports and dashboards
- Alerts Dashboard
- Discovery Dashboard
- Built-in reports
- Offline reports
- Saved Reports
- Reports with the Query Builder
- Discovery Health Check
- Set custom Discovery properties on Privacera Platform
- Get started with Discovery
- Encryption
- Get started with Encryption
- The encryption process
- Encryption architecture and UDF flow
- Install Encryption on Privacera Platform
- Encryption on Privacera Platform deployment specifications
- Configure Ranger KMS with Azure Key Vault on Privacera Platform
- Enable telemetry data collection on Privacera Platform
- AWS S3 bucket encryption on Privacera Platform
- Set up PEG and Cryptography with Ranger KMS on Privacera Platform
- Provide user access to Ranger KMS
- PEG custom properties
- Enable Encryption on PrivaceraCloud
- Encryption keys
- Master Key
- Key Encryption Key (KEK)
- Data Encryption Key (DEK)
- Encrypted Data Encryption Key (EDEK)
- Rollover encryption keys on Privacera Platform
- Connect to Azure Key Vault with a client ID and certificate on Privacera Platform
- Connect to Azure Key Vault with Client ID and Client Secret on Privacera Platform
- Migrate Ranger KMS master key on Privacera Platform
- Ranger KMS with Azure Key Vault on Privacera Platform
- Schemes
- Encryption schemes
- Presentation schemes
- Masking schemes
- Scheme policies
- Formats
- Algorithms
- Scopes
- Deprecated encryption schemes
- About LITERAL
- User-defined functions (UDFs)
- Encryption UDFs for Apache Spark on PrivaceraCloud
- Hive UDFs for encryption on Privacera Platform
- StreamSets Data Collector (SDC) and Privacera Encryption on Privacera Platform
- Trino UDFs for encryption and masking on Privacera Platform
- Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera crypto plugin for Trino
- Install the Privacera crypto plugin for Trino using Privacera Manager
- privacera.unprotect with optional presentation scheme
- Example queries to verify Privacera-supplied UDFs
- Privacera Encryption UDFs for Starburst Enterprise Trino on PrivaceraCloud
- Syntax of Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera Crypto plug-in for Trino
- Download and install Privacera Crypto jar
- Set variables in Trino etc/crypto.properties
- Restart Trino to register the Privacera encryption and masking UDFs for Trino
- Example queries to verify Privacera-supplied UDFs
- Privacera Encryption UDF for masking in Trino on PrivaceraCloud
- Databricks UDFs for Encryption
- Create Privacera protect UDF
- Create Privacera unprotect UDF
- Run sample queries in Databricks to verify
- Create a custom path to the crypto properties file in Databricks
- Create and run Databricks UDF for masking
- Privacera Encryption UDF for masking in Databricks on PrivaceraCloud
- Set up Databricks encryption and masking
- Get started with Encryption
- API
- REST API Documentation for Privacera Platform
- Access Control using APIs on Privacera Platform
- UserSync REST endpoints on Privacera Platform
- REST API endpoints for working tags on Privacera Platform
- PEG REST API on Privacera Platform
- API authentication methods on Privacera Platform
- Anatomy of the /protect API endpoint on Privacera Platform
- Construct the datalist for protect
- Deconstruct the datalist for unprotect
- Example of data transformation with /unprotect and presentation scheme
- Example PEG API endpoints
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- REST API reference
- Make calls on behalf of another user on Privacera Platform
- Troubleshoot REST API Issues on Privacera Platform
- Encryption API date input formats
- Supported day-first date input formats
- Supported month-first date input formats
- Supported year-first date input formats
- Examples of supported date input formats
- Supported date ranges
- Day-first formats
- Date input formats and ranges
- Legend for date input formats
- Year-first formats
- Supported date range
- Month-first formats
- Examples of allowable date input formats
- PEG REST API on PrivaceraCloud
- REST API prerequisites
- Anatomy of a PEG API endpoint on PrivaceraCloud
- About constructing the datalist for /protect
- About deconstructing the response from /unprotect
- Example of data transformation with /unprotect and presentation scheme
- Example PEG REST API endpoints for PrivaceraCloud
- Audit details for PEG REST API accesses
- Make calls on behalf of another user on PrivaceraCloud
- Apache Ranger API on PrivaceraCloud
- API Key on PrivaceraCloud
- Administration and Releases
- Privacera Platform administration
- Portal user management
- Change password for Privacera Platform services
- Generate tokens on Privacera Platform
- Validations on Privacera Platform
- Health check on Privacera Platform
- Event notifications for system health
- Export or import a configuration file on Privacera Platform
- Logs on Privacera Platform
- Increase Privacera Platform portal timeout for large requests
- Platform Support Policy and End-of-Support Dates
- Enable Grafana metrics on Privacera Platform
- Enable Azure CLI on Privacera Platform
- Migrate from Databricks Spark to Apache Spark
- Migrate from PrestoSQL to Trino
- Ranger Admin properties on Privacera Platform
- Basic steps for blue/green upgrade of Privacera Platform
- Event notifications for system health
- Metrics
- Get ADLS properties
- PrivaceraCloud administration
- About the Account page on PrivaceraCloud
- Statistics on PrivaceraCloud
- PrivaceraCloud dashboard
- Event notifications for system health
- Metrics
- Usage statistics on PrivaceraCloud
- Update PrivaceraCloud account info
- Manage PrivaceraCloud accounts
- Create and manage IP addresses on PrivaceraCloud
- Scripts for AWS CLI or Azure CLI for managing connected applications
- Add UserInfo in S3 Requests sent via Data Access Server on PrivaceraCloud
- Previews
- PrivaceraCloud previews
- Preview: Scan Electronic Health Records with NER Model
- Preview: File Explorer for GCS
- Preview: File Explorer for Azure
- Preview: OneLogin setup for SAML-SSO
- Preview: File Explorer for AWS S3
- Preview: PingFederate UserSync
- Preview: Azure Active Directory SCIM Server UserSync
- Preview: OneLogin UserSync
- Privacera UserSync Configuration
- Privacera Platform previews
- Preview: AlloyDB connector for PolicySync
- Configure AWS Lake Formation on Privacera Platform
- Get started with AWS Lake Formation
- Create IAM Role for AWS Lake Formation connector for Platform
- Configure AWS Lake Formation connector on Privacera Platform
- Create AWS Lake Formation connectors for multiple AWS regions for Platform
- Setup audit logs for AWS Lake Formation on Platform
- How to validate a AWS Lake Formation connector
- AWS Lake Formation FAQs for Pull mode
- AWS Lake Formation FAQs for Push mode
- AWS Lake Formation Connector Properties
- PrivaceraCloud previews
- Release documentation
- Previous versions of Privacera Platform documentation
- PrivaceraCloud Release Notes
- Privacera Platform Release Notes
- Privacera documentation changelog
- For PrivaceraCloud 7.9 release, 2023-05-10
- For Privacera Platform 7.8 release, 2023-05-09
- For PrivaceraCloud 7.8 release, 2023-03-12
- For PrivaceraCloud 7.7 release, 2023-03-14
- For PrivaceraCloud 7.6 release, 2023-02-13
- For PrivaceraCloud 7.5 release, 2023-02-07
- For Privacera Platform 7.5 release 2023-02-07
- Privacera system security initiatives
- Privacera Platform administration
Connect Snowflake to PrivaceraCloud
This topic describes how to connect the Snowflake application to the PrivaceraCloud using the AWS and Azure platforms.
Before configuring Snowflake, you must first manually create the Snowflake warehouse, database, users, and roles required by PolicySync. All of this can be accomplished by manually executing SQL queries.
Note
Log in to Snowflake as a user with ACCOUNTADMIN privileges.
Creating PolicySync role
The PRIVACERA_POLICYSYNC_ROLE
role, which we will create in this step, will be used in the SNOWFLAKE_ROLE_TO_USE
property when configuring Snowflake with Privacera Manager.
Drop a role.
DROP ROLE IF EXISTS "PRIVACERA_POLICYSYNC_ROLE";
Create a role.
CREATE ROLE IF NOT EXISTS "PRIVACERA_POLICYSYNC_ROLE";
Grant this role permission to users to create/update/delete roles.
GRANT ROLE USERADMIN TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Grant this permission to the role, allowing them to provide grants/revokes privileges on user/roles to create warehouse/database on account.
GRANT ROLE SYSADMIN TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Grant this permission to the role so that it can manage grants for snowflake resources.
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Grant this permission to the role so that it can create native Masking policies.
GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Grant this permission to the role so that it can create native row filter policies.
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Creating a warehouse
The PRIVACERA_POLICYSYNC_WH
warehouse, which we will create in this step, will be used in the SNOWFLAKE_WAREHOUSE_TO_USE
property when configuring Snowflake with Privacera Manager.
Create a warehouse for PolicySync. Change the warehouse size according to deployment.
CREATE WAREHOUSE IF NOT EXISTS "PRIVACERA_POLICYSYNC_WH" WITH WAREHOUSE_SIZE='XSMALL'WAREHOUSE_TYPE='STANDARD'AUTO_SUSPEND=600AUTO_RESUME= TRUE MIN_CLUSTER_COUNT=1MAX_CLUSTER_COUNT=1SCALING_POLICY='ECONOMY';
Granting role permission to read access audits
To get read access audit permission on the Snowflake database, follow the steps below.
Grant warehouse usage access so we can query the snowflake database and get the Access Audits.
GRANT USAGE ON WAREHOUSE "PRIVACERA_POLICYSYNC_WH" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Grant our role
PRIVACERA_POLICYSYNC_ROLE
to read Access Audits in the snowflake database.GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Creating database for Privacera UDFs
The database name PRIVACERA_DB
will be used in the SNOWFLAKE_JDBC_DB
property when configuring Snowflake with Privacera Manager.
This step is optional. If you already have the database and want to use it, you can skip this step.
CREATE DATABASE IF NOT EXISTS "PRIVACERA_DB";
Grant our role
PRIVACERA_POLICYSYNC_ROLE
database access so that we can create UDFs in the database.GRANT ALL ON DATABASE "PRIVACERA_DB" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON ALL SCHEMAS IN DATABASE "PRIVACERA_DB" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Creating user
The user which we will create in this step will be used in the SNOWFLAKE_JDBC_USERNAME
and SNOWFLAKE_JDBC_PASSWORD
properties when configuring Snowflake with Privacera Manager.
Create a user
CREATE USER IF NOT EXISTS "PRIVACERA_POLICYSYNC_USER"PASSWORD='<PLEASE_CHANGE>'MUST_CHANGE_PASSWORD=FALSE DEFAULT_WAREHOUSE="PRIVACERA_POLICYSYNC_WH"DEFAULT_ROLE="PRIVACERA_POLICYSYNC_ROLE";
Grant the user the
PRIVACERA_POLICYSYNC_ROLE
role.GRANT ROLE "PRIVACERA_POLICYSYNC_ROLE" TO USER "PRIVACERA_POLICYSYNC_USER";
Masking and row level filtering
To run the Masking and Row Level Filter, the following permissions must be granted to each database managed by PolicySync. <DATABASE_NAME>
must be replaced with the specific value.
GRANT ALL ON DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON ALL SCHEMAS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON FUTURE SCHEMAS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON ALL TABLES IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON FUTURE TABLES IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON ALL VIEWS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"; GRANT ALL ON FUTURE VIEWS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
Using reduced permissions for existing PolicySync
If Privacera PolicySync is currently configured with ACCOUNTADMIN privileges, the steps below must be completed as an ACCOUNTADMIN in order for PolicySync to work with the reduced permissions specified in the previous sections.
Drop UDFs.
DROP FUNCTION IF EXISTS "<DATABASE_NAME>"."PUBLIC".ThrowColumnAccessException(string);
Note
For PolicySync versions 4.7 or earlier,
<DATABASE_NAME>
must be replaced with the value provided in configurationjdbc.db
.For PolicySync versions 5.0 or later:
<DATABASE_NAME>
must be replaced with the value provided in configurationranger.policysync.connector.snowflake.masking.functions.db.name
.
Drop row level filter access policies.
DROP ROW ACCESS POLICY IF EXISTS "<DATABASE_NAME>"."<SCHEMA_NAME>"."<ROW_ACCESS_POLICY_NAME>";
Note
For PolicySync version 4.7:
Row Level Filter access policies must be deleted in all databases and schemas managed by PolicySync.
The following is the format of a Row Level Filter access policy name: :
{database}_{schema}_{table}_row_filter_policy
.For example,
"db1_sch1_tbl1_row_filter_policy"
For PolicySync versions 5.0 or later:
If PolicySync is configured to create Row Level Filter access policies in a specific database and schema (see below), Row Level Filter access policies must be deleted from the specified database and schema.
ranger.policysync.connector.snowflake.row.filter.policy.db.name
ranger.policysync.connector.snowflake.row.filter.policy.schema.name
Or else, Row Level Filter access policies in all databases and schemas managed by PolicySync must be deleted.
The following is the format of a Row Level Filter access policy name: :
{database}{separator}{schema}{separator}{table}
.For example,
"db1_PRIV_sch1_PRIV_tbl1"
.
Use the following command to list Row Level Filter access policies:
SHOW ROW ACCESS POLICIES;
Drop masking policies.
DROP MASKING POLICY IF EXISTS "<DATABASE_NAME>"."<SCHEMA_NAME>"."<MASKING_POLICY_NAME>";
The following is the format of a Masking policy name:
{table}{separator}{column}
.For example,
"tbl1_priv_col1"
If PolicySync is configured to create Masking policies in a specific database and schema (see below), Masking policies must be deleted from the specified database and schema.
ranger.policysync.connector.snowflake.masking.policy.db.name
ranger.policysync.connector.snowflake.masking.policy.schema.name
Or else, Masking policies in all databases and schemas managed by PolicySync must be deleted.
The following is the format of a Masking policy name:
{database}{separator}{schema}{separator}{table}{separator}{column}
.For example,
"db1_PRIV_sch1_PRIV_tbl1_PRIV_col1"
.
Use the following command to list all masking policies:
SHOW MASKING POLICIES;
Procedure to connect Snowflake to PrivaceraCloud
Go to Settings > Applications.
On the Applications screen, select Snowflake.
Select the platform type (AWS or Azure) on which you want to configure the Snowflake application.
Enter the application Name and Description, and then click Save.
You can see Privacera Access Management and Data Discovery with toggle buttons.
Note
If you don't see Data Discovery in your application, enable it in Settings > Account > Discovery. For more information, see About the Account page on PrivaceraCloud.
Enable Privacera Access Management for Snowflake
Click the toggle button to enable the Privacera Access Management for your application.
On the BASIC tab, enter the values in the given fields and click Save. For property details and description, see table below:
Note
Make sure that the other properties are advanced and should be modified in consultation with Privacera.
Basic fields
Table 29. Basic fieldsField name
Type
Default
Required
Description
Snowflake JDBC Url
string
Yes
Specifies the JDBC URL for the Snowflake connector.
Snowflake JDBC Username
string
Yes
Specifies the JDBC username to use.
Snowflake JDBC Password
string
Yes
Specifies the JDBC password to use.
Enable Use Key Pair Authentication
boolean
false
Yes
Specifies whether PolicySync uses key-pair authentication.
Enable this setting to true to enable key pair authentication.
Snowflake JDBC private key
string
No
Specifies the contents of the private key file to use with Snowflake. For example:
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIE6TAbBgkqhkiG9w0BBQMwDgQILYPyCppzOwECAggABIIEyLiGSpeeGSe3xHP1wHLjfCYycUPennlX2bd8yX8xOxGSGfvB+99+PmSlex0FmY9ov1J8H1H9Y3lMWXbL... -----END ENCRYPTED PRIVATE KEY-----
Snowflake JDBC private key password
string
No
Specifies the password for the private key. If the private key does not have a password, do not specify this setting.
Snowflake Warehouse To Use
string
Yes
Specifies the JDBC warehouse that PolicySync establishes a connection to, which is used to run SQL queries.
Snowflake Role To Use
string
Yes
Specifies the role that PolicySync uses when it runs SQL queries.
Snowflake Resource Owner
string
No
Specifies the role that owns the resources managed by PolicySync. You must ensure that this user exists as PolicySync does not create this user.
If a value is not specified, resources are owned by the creating user. In this case, the owner of the resource will have all access to the resource.
If a value is specified, the owner of the resource will be changed to the specified value.
The following resource types are supported:
Database
Schemas
Tables
Views
Warehouses to set access control policies
string
No
Specifies a comma-separated list of warehouse names for which PolicySync manages access control. If unset, access control is managed for all warehouses. If specified, use the following format. You can use wildcards. Names are case-sensitive.
An example list of warehouses might resemble the following:
testdb1warehouse,testdb2warehouse, sales_dbwarehouse*
Databases to set access control policies
string
No
Specifies a comma-separated list of database names for which PolicySync manages access control. If unset, access control is managed for all databases. If specified, use the following format. You can use wildcards. Names are case-sensitive.
An example list of databases might resemble the following:
testdb1,testdb2,sales db*
.If specified, Databases to be ignored by access policy takes precedence over this setting.
Default password for new snowflake user
string
Yes
Specifies the password to use when PolicySync creates new users.
Enable policy enforcements and user/group/role management
boolean
true
No
Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is
true
.Database name where masking function for column access control will be created
string
No
Specifies the name of the database where PolicySync creates custom masking functions.
Enable access audits
boolean
true
Yes
Specifies whether Privacera fetches access audit data from the data source.
Enable simple audits
boolean
true
No
Specifies whether to enable simple auditing. When enabled, PolicySync gathers the following audit information from the database:
RequestData (query text)
AccessResult (execute status)
AccessType (query type)
User (username)
ResourcePath (database_name.schema_name)
EventTime (query time)
AclEnforcer (connector name)
If you enabled this setting, do not enable Enable advance audits.
Enable advance audits
boolean
false
No
Specifies whether to enable advanced auditing. When enabled, PolicySync gathers the following audit information from the database:
AccessResult (execute status)
AccessType (query type)
User (username)
ResourcePath (database_name.schema_name.column_names)
EventTime (query time)
AclEnforcer (connector name)
If you enabled this setting, do not enable Enable simple audits.
Advanced fields
Table 30. Advanced fieldsField name
Type
Default
Required
Description
Schemas to set access control policies
string
No
Specifies a comma-separated list of schema names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
Use the following format when specifying a schema:
<DATABASE_NAME>.<SCHEMA_NAME>
If specified, Schemas to be ignored by access policy takes precedence over this setting.
If you specify a wildcard, such as in the following example, all schemas are managed:
<DATABASE_NAME>.*
The specified value, if any, is interpreted in the following ways:
If unset, access control is managed for all schemas.
If set to
none
no schemas are managed.
Tables to set access control policies
string
No
Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
Use the following format when specifying a table:
<DATABASE_NAME>.<SCHEMA_NAME>.<TABLE_NAME>
If specified,
ignore.table.list
takes precedence over this setting.If you specify a wildcard, such as in the following example, all matched tables are managed:
<DATABASE_NAME>.<SCHEMA_NAME>.*
The specified value, if any, is interpreted in the following ways:
If unset, access control is managed for all tables.
If set to
none
no tables are managed.
Stream to set access control policies
string
No
Specifies a comma-separated list of stream names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of streams might resemble the following:
testdb1.schema1.stream1,testdb2.schema2.stream*
If unset, access control is managed for all streams.
Functions to set access control policies
string
No
Specifies a comma-separated list of function names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of functions might resemble the following:
testdb1.schema1.fn1,testdb2.schema2.fn*
If unset, access control is managed for all functions.
Procedures to set access control policies
string
No
Specifies a comma-separated list of procedure names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of procedures might resemble the following:
testdb1.schema1.procedureA,testdb2.schema2.procedure*
If unset, access control is managed for all procedures.
Sequences to set access control policies
string
No
Specifies a comma-separated list of sequence names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of sequences might resemble the following:
testdb1.schema1.seq1,testdb2.schema2.seq*
If unset, access control is managed for all sequences.
FileFormat to set access control policies
string
No
Specifies a comma-separated list of file format names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of file formats might resemble the following:
testdb1.schema1.fileFmtA,testdb2.schema2.fileFmt*
If unset, access control is managed for all file formats.
Pipes to set access control policies
string
No
Specifies a comma-separated list of pipe names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of pipes might resemble the following:
testdb1.schema1.pipeA,testdb2.schema2.pipe*
If unset, access control is managed for all pipes.
ExternalStage to set access control policies
string
No
Specifies a comma-separated list of external stage names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of external stages might resemble the following:
testdb1.schema1.externalStage1,testdb2.schema2.extStage*
If unset, access control is managed for all external stages.
InternalStage to set access control policies
string
No
Specifies a comma-separated list of internal stages names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
An example list of internal stages might resemble the following:
testdb1.schema1.internalStage1,testdb2.schema2.intStage*
If unset, access control is managed for all internal stages.
Warehouses to be ignored by access policy
string
No
Specifies a comma-separated list of warehouse names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all warehouses are subject to access control.
This setting supersedes any values specified by Warehouses to set access control policies.
Databases to be ignored by access policy
string
DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA
No
Specifies a comma-separated list of database names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all databases are subject to access control.
For example:
testdb1,testdb2,sales_db*
This setting supersedes any values specified by Databases to set access control policies.
Schemas to be ignored by access policy
string
*.INFORMATION_SCHEMA
No
Specifies a comma-separated list of schema names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all schemas are subject to access control.
For example:
testdb1.schema1,testdb2.schema2,sales_db*.sales*
This setting supersedes any values specified by Schemas to set access control policies.
Create user in snowflake by policysync
boolean
true
No
Specifies whether PolicySync creates local users for each user in Privacera.
Create user role in snowflake by policysync
boolean
true
No
Specifies whether PolicySync creates local roles for each user in Privacera.
Enable use of email as login for snowflake
boolean
false
No
Specifies whether PolicySync uses the user email address as the login name when creating a new user in Snowflake.
Prefix of snowflake roles for portal users
string
No
Specifies the prefix that PolicySync uses when creating local users. For example, if you have a user named
<USER>
defined in Privacera and the role prefix ispriv_user_
, the local role is namedpriv_user_<USER>
.Prefix of snowflake roles for portal groups
string
No
Specifies the prefix that PolicySync uses when creating local roles. For example, if you have a group named
etl_users
defined in Privacera and the role prefix isprefix_
, the local role is namedprefix_etl_users
.Prefix of snowflake roles for portal roles
string
No
Specifies the prefix that PolicySync uses when creating roles from Privacera in the Snowflake data source.
For example, if you have a role in Privacera named
finance
defined in Privacera and the role prefix isrole_prefix_
, the local role is namedrole_prefix_finance
.Manage users form portal
boolean
No
Specifies whether PolicySync maintains user membership in roles in the Snowflake data source.
Manage group form portal
boolean
No
Specifies whether PolicySync creates groups from Privacera in the Snowflake data source.
Manage role form portal
boolean
No
Specifies whether PolicySync creates roles from Privacera in the Snowflake data source.
Users to set access control policy
string
No
Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive.
If not specified, PolicySync manages access control for all users.
If specified, Users to be ignored by access control policy takes precedence over this setting.
An example user list might resemble the following:
user1,user2,dev_user*
.Groups to set access control policy
string
No
Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive.
An example list of projects might resemble the following:
group1,group2,dev_group*
.If specified, Groups to be ignored by access control policy takes precedence over this setting.
Roles to set access control policy
string
No
Specifies a comma-separated list of role names for which PolicySync manages access control. If unset, access control is managed for all roles. If specified, use the following format. You can use wildcards. Names are case-sensitive.
An example list of projects might resemble the following:
role1,role2,dev_role*
.If specified, Roles to be ignored by access control policy takes precedence over this setting.
Users to be ignored by access control policy
string
No
Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all users are subject to access control.
This setting supersedes any values specified by Users to set access control policy.
Groups to be ignored by access control policy
string
No
Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all groups are subject to access control.
This setting supersedes any values specified by Groups to set access control policy.
Roles to be ignored by access control policy
string
No
Specifies a comma-separated list of role names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all roles are subject to access control.
This setting supersedes any values specified by Roles to set access control policy.
Regex to find special characters in user names
string
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
No
Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the String to replace with the special characters found in user names setting.
If not specified, no find and replace operation is performed.
String to replace with the special characters found in user names
string
_
No
Specifies a string to replace the characters matched by the regex specified by the Regex to find special characters in user names setting.
If not specified, no find and replace operation is performed.
Regex to find special characters in group names
string
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
No
Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the String to replace with the special characters found in group names setting.
If not specified, no find and replace operation is performed.
String to replace with the special characters found in group names
string
_
No
Specifies a string to replace the characters matched by the regex specified by the Regex to find special characters in group names setting.
If not specified, no find and replace operation is performed.
Regex to find special characters in role names
string
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
No
Specifies a regular expression to apply to a role name and replaces each matching character with the value specified by the String to replace with the special characters found in role names setting.
If not specified, no find and replace operation is performed.
String to replace with the special characters found in role names
string
_
No
Specifies a string to replace the characters matched by the regex specified by the Regex to find special characters in role names setting.
If not specified, no find and replace operation is performed.
Persist case sensitivity of user names
boolean
false
No
Specifies whether PolicySync converts user names to lowercase when creating local users. If set to
true
, case sensitivity is preserved.Persist case sensitivity of group names
boolean
false
No
Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to
true
, case sensitivity is preserved.Persist case sensitivity of role names
boolean
false
No
Specifies whether PolicySync converts role names to lowercase when creating local roles. If set to
true
, case sensitivity is preserved.Set access control policies only on the users from managed groups
boolean
false
No
Specifies whether to manage only the users that are members of groups specified by Groups to set access control policy. The default value is false.
Set access control policies only on the users/groups from managed roles
boolean
false
No
Specifies whether to manage only users that are members of the roles specified by Roles to set access control policy. The default value is false.
Enable Column Access Exception
boolean
true
No
Specifies whether an access denied exception is displayed if a user does not have access to a table column and attempts to access that column.
If enabled, you must set Enforce Snowflake Native Masking to
true
.Enforce Snowflake Native Masking
boolean
true
No
Specifies whether PolicySync enables native masking policy creation functionality.
Enforce Snowflake Native row filter
boolean
true
No
Specifies whether to use the data source native row filter functionality. This setting is disabled by default. When enabled, you can create row filters only on tables, but not on views.
Enforce row filter policies using secure views
boolean
false
No
Specifies whether to use secure view based row filtering. The default value is
false
.While Snowflake supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended.
Enforce masking policies using secure views
boolean
false
No
Specifies whether to use secure view based masking. The default value is
false
.Secure view schema name prefix
string
No
Specifies a prefix string to apply to a secure schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name.
If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is
dev_
, then the secure view schema name for a schema namedexample1
isdev_example1
.Secure view schema name postfix
string
No
Specifies a postfix string to apply to a secure view schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name.
If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is
_dev
, then the secure view name for a schema namedexample1
isexample1_dev
.Secure view name prefix
string
No
Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name.
If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is
dev_
, then the secure view name for a table namedexample1
isdev_example1
.Secure view name postfix
string
_SECURE
No
Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name.
If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is
_dev
, then the secure view name for a table namedexample1
isexample1_dev
.Create secure view for all tables/views
boolean
false
No
Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled.
Default masked value for numeric datatype columns
integer
0
No
Specifies the default masking value for numeric column types.
Default masked value for text/varchar datatype columns
string
<MASKED>
No
Specifies the default masking value for text and string column types.
Custom fields
Table 31. Custom fieldsCanonical name
Type
Default
Description
jdbc.maximum.pool.size
integer
15
Specifies the maximum size for the JDBC connection pool.
jdbc.min.idle.connection
integer
3
Specifies the minimum size of the JDBC connection pool.
jdbc.leak.detection.threshold
string
900000L
Specifies the duration in milliseconds that a connection is not part of the connection pool before PolicySync logs a possible connection leak message. If set to
0
, leak detection is disabled.handle.pipe.ownership
boolean
false
Specifies whether PolicySync changes the ownership of a pipe to the role specified by Snowflake Resource Owner.
ignore.table.list
string
Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Names are case-sensitive. Specify tables using the following format:
<DATABASE_NAME>.<SCHEMA_NAME>.<TABLE_NAME>
This setting supersedes any values specified by Tables to set access control policies.
ignore.stream.list
string
Specifies a comma-separated list of stream names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all streams are subject to access control.
This setting supersedes any values specified by Stream to set access control policies.
ignore.function.list
string
Specifies a comma-separated list of functions names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all functions are subject to access control.
This setting supersedes any values specified by Functions to set access control policies.
ignore.procedure.list
string
Specifies a comma-separated list of procedures names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all procedures are subject to access control.
This setting supersedes any values specified by Procedures to set access control policies.
ignore.sequence.list
string
Specifies a comma-separated list of sequences names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all sequences are subject to access control.
This setting supersedes any values specified by Sequences to set access control policies.
ignore.file_format.list
string
Specifies a comma-separated list of file format names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all file formats are subject to access control.
This setting supersedes any values specified by FileFormat to set access control policies.
ignore.pipe.list
string
Specifies a comma-separated list of pipes names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all pipes are subject to access control.
This setting supersedes any values specified by Pipes to set access control policies.
ignore.external_stage.list
string
Specifies a comma-separated list of external stage names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all external stages are subject to access control.
This setting supersedes any values specified by ExternalStage to set access control policies.
ignore.internal_stage.list
string
Specifies a comma-separated list of internal stage names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all internal stages are subject to access control.
This setting supersedes any values specified by InternalStage to set access control policies.
user.name.case.conversion
string
lower
Specifies how user name conversions are performed. The following options are valid:
lower
: Convert to lowercaseupper
: Convert to uppercasenone
: Preserve case
This setting applies only if Persist case sensitivity of user names is set to
true
.group.name.case.conversion
string
lower
Specifies how group name conversions are performed. The following options are valid:
lower
: Convert to lowercaseupper
: Convert to uppercasenone
: Preserve case
This setting applies only if Persist case sensitivity of group names is set to
true
.role.name.case.conversion
string
lower
Specifies how role name conversions are performed. The following options are valid:
lower
: Convert to lowercaseupper
: Convert to uppercasenone
: Preserve case
This setting applies only if Persist case sensitivity of role names is set to
true
.user.filter.with.email
boolean
false
Set this property to true if you only want to manage users who have an email address associated with them in the portal.
User.role.use.upper.case
boolean
false
Specifies whether PolicySync converts a user role name to uppercase when performing operations.
Group.role.use.upper.case
boolean
false
Specifies whether PolicySync converts a group name to uppercase when performing operations.
Role.role.use.upper.case
boolean
false
Specifies whether PolicySync converts a role name to uppercase when performing operations.
perform.grant.updates.batch
string
Specifies whether PolicySync applies grants and revokes in batches. If enabled, this behavior improves overall performance of applying permission changes.
perform.grant.updates.max.retry.attempts
integer
2
Specifies the maximum number of attempts that PolicySync makes to execute a grant query if it is unable to do so successfully. The default value is
2
.enable.privileges.batching
boolean
false
Specifies whether PolicySync applies privileges described in Access Manager policies.
masking.policy.db.name
string
Specifies the name of the database where PolicySync creates custom masking policies.
masking.policy.schema.name
string
PUBLIC
Specifies the name of the schema where PolicySync creates all native masking policies. If not specified, the resource schema is used as the masking policy schema.
masking.policy.name.template
string
{database}{separator}{schema}{separator}{table}
Specifies a naming template that PolicySync uses when creating native masking policies. For example, given the following values:
{database}
:customer_db
{schema}
:customer_schema
{table}
:customer_data
{separator}
_priv_
With the default naming template, the following name is used when creating a native masking policy. The
{column}
field is replaced by the column name.customer_db_priv_customer_schema_priv_customer_data_{column}
row.filter.policy.db.name
string
Specifies the name of the database where PolicySync creates native row-filter policies. If not specified, the resource database is considered the same as the row-filter policy database.
row.filter.policy.schema.name
string
PUBLIC
Specifies the name of the schema where PolicySync creates all native row-filter policies. If not specified, the resource schema is considered the same as the row-filter policy schema.
row.filter.policy.name.template
string
{database}{separator}{schema}{separator}{table}
Specifies a template for the name that PolicySync uses when creating a row filter policy. For example, given a table
data
from theschema
schema that resides in thedb
database, the row filter policy name might resemble the following:db_priv_schema_priv_data_<ROW_FILTER_ITEM_NUMBER>
secure.view.schema.name.remove.suffix.list
string
Specifies a suffix to remove from a schema name. For example, if a schema is named
example_suffix
you can remove the_suffix
string. This transformation is applied before any custom prefix or postfix is applied.You can specify a single suffix or a comma separated list of suffixes.
secure.view.name.remove.suffix.list
string
Specifies a suffix to remove from a table or view name. For example, if the table is named
example_suffix
you can remove the_suffix
string. This transformation is applied before any custom prefix or postfix is applied.You can specify a single suffix or a comma separated list of suffixes.
secure.view.database.name.prefix
string
Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same name as the table database name.
For example, if the prefix is
priv_
, then the secure view name for a database namedexample1
ispriv_example1
.secure.view.database.name.postfix
string
Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same name as the table database name.
For example, if the postfix is
_sec
, then the secure view name for a database namedexample1
isexample1_sec
.secure.view.database.name.remove.suffix.list
string
Specifies a suffix to remove from a database name. For example, if the database is named
example_suffix
you can remove the_suffix
string. This transformation is applied before any custom prefix or postfix is applied.You can specify a single suffix or a comma separated list of suffixes.
policy.name.separator
string
_PRIV_
Specifies a string to use as part of the name of native row filter and masking policies.
row.filter.alias.token
string
obj
Specifies an identifier that PolicySync uses to identify columns from the main table and parse each correctly.
masked.double.value
integer
0
Specifies the default masking value for
DOUBLE
column types.masked.date.value
string
Specifies the default masking value for date column types.
peg.functions.db.name
string
Specifies the name of the database where the PEG encryption functions reside.
peg.functions.schema.name
string
public
Specifies the schema name where the PEG encryption functions reside.
load.roles
string
load_md
Specifies the method that PolicySync uses to load roles from Snowflake. The following methods are supported:
load_md
: Use metadata queriesload.users
string
load_md
Specifies how PolicySync loads users from Snowflake. The following values are valid:
load
load_db
load.resources
string
load_md_from_account_columns
Specifies how PolicySync loads resources from Snowflake. The following values are allowed:
load_md
: Load the resources using metadata queries.load_md_from_account_columns
: Load resources by directly runningSHOW QUERIES
on the account. This mode is preferred when you want to manage an entire Snowflake account.load_md_from_database_columns
: Load the resources by directly runningSHOW QUERIES
only on managed databases. This mode is preferred when you want to manage only a few databases.
load.policies
string
Specifies the method that PolicySync uses to load existing grants from Snowflake. The following methods are supported:
load_md
: Use metadata queriesload.audits
string
Specifies the method that PolicySync uses to load access audit information.
The following values are valid:
load
: Use SQL queries The following values are valid:
audit.enable.resource.filter
boolean
Specifies whether PolicySync filters access audit information by managed resources, such as databases, schemas, and so forth.
audit.initial.pull.min
string
30
Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Snowflake.
custom.audit.db.name
string
PRIVACERA_ACCESS_LOGS_DB
Specifies the database that PolicySync retrieves access audits from. This setting applies only if you set Enable advance audits to
true
.sync.interval.sec
integer
60
Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources.
sync.serviceuser.interval.sec
integer
420
Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly.
sync.servicepolicy.interval.sec
integer
60
Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly.
audit.interval.sec
integer
30
Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera.
jdbc.application
string
Specifies the name of a partner application to connect to through JDBC. This setting is for Snowflake partner use only.
On the ADVANCED tab, you can add custom properties.
Using the IMPORT PROPERTIES button, you can browse and import application properties.
For more information about object permission mapping , see Snowflake Documentation.
Object | Supported Permissions | Description |
---|---|---|
Global | CreateWarehouse CreateDatabase | Enables creating a new virtual warehouse. Enables creating a new database in the system. |
Warehouse | UseWarehouse Operate Monitor Modify | Enables using a virtual warehouse and, as a result, executing queries on the warehouse. Enables changing the state of a warehouse (stop, start, suspend, resume). Enables viewing current and past queries executed on a warehouse as well as usage statistics on that warehouse. Enables altering any properties of a warehouse, including changing its size |
Database | UseDB CreateSchema | Enables using a database, including returning the database details in the SHOW DATABASES command output. Enables creating a new schema in a database, including cloning a schema. |
Schema | UseSchema CreateTable CreateProcedure CreateFunction CreateStream CreateSequence CreateFileFormat CreateStage CreatePipe CreateExternalTable | Enables using a schema, including returning the schema details in the SHOW SCHEMAS command output. Enables creating a new table in a schema, including cloning a table. Enables creating a new stored procedure in a schema. Enables creating a new UDF or external function in a schema. Enables creating a new stream in a schema, including cloning a stream. Enables creating a new sequence in a schema, including cloning a sequence. Enables creating a new file format in a schema, including cloning a file format. Enables creating a new stage in a schema, including cloning a stage. Enables creating a new pipe in a schema. Enables creating a new external table in a schema. |
Table | Select Insert Update Delete Truncate References | Enables executing a SELECT statement on a table. Enables executing an INSERT command on a table .Enables executing an UPDATE command on a table. Enables executing a DELETE command on a table. Enables executing a TRUNCATE TABLE command on a table. Enables referencing a table as the unique/primary key table for a foreign key constraint. |
View | Select | Enables executing a SELECT statement on a view. |
Procedure | Usage | Enables calling a stored procedure. |
Function | Usage | Enables calling a function. |
Stream | Select | Enables executing a SELECT statement on a stream. |
File_format | Usage | Enables using a file format in a SQL statement. |
Sequence | Usage | Enables using a sequence in a SQL statement. |
Internal_stage | Read Write | Enables performing any operations that require reading from an internal stage (GET, LIST, COPY INTO <table>); Enables performing any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO <location>); |
External_stage | Usage | Enables using an external stage object in a SQL statement; |
Pipe | Operate Monitor | Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES), pausing or resuming the pipe, and refreshing the pipe. Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES). |
Enable Data Discovery for Snowflake
Click the toggle button to enable the Data Discovery for your application.
On the BASIC tab, enter values in the following fields.
JDBC URL
JDBC Username
JDBC Password
On the ADVANCED tab, you can add custom properties.
You need to configure some advanced properties for the application where all the data to be scanned are stored. For more information, see General process for configuring an application.
Using the IMPORT PROPERTIES button, you can browse and import application properties.
Click the TEST CONNECTION button to check if the connection is successful, and then click Save.
Add Data Source
To add a resources using this connection as Privacera Discovery targets, see Privacera Discovery scan targets.