JDBC configuration properties

BASIC

CONNECTOR_DATABRICKS_UNITY_CATALOG_DATABRICKS_BASE_URL

This is the Databricks URL for PolicySync to connect to. Example: https://dev-environment.cloud.databricks.com

BASIC

CONNECTOR_DATABRICKS_UNITY_CATALOG_API_ACCESS_TOKEN

A personal access token used to connect to the Databricks api. This access token should come from an admin user who has access to the resources that PolicySync will manage. Example: dapi123456789...

BASIC

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_IS_API_ACCESS_TOKEN_ACCOUNT_ADMIN

Set this to true if the personal access token has account admin privileges. PolicySync will only be able to create and update users/groups in Unity Catalog if the personal access token has account admin privileges. If the token does not have account admin privileges, then PolicySync will not create or update users/groups in Unity Catalog. In this case, the users/groups should be created in Unity Catalog beforehand.

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_JDBC_URL

A jdbc url for Databricks is only necessary when using Unity Catalog's native masking and tr filter capabilities. By default, it is not necessary to add this property. The value of this property should be the jdbc url of a SQL Warehouse in Databricks.

Resources management

BASIC

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_CATALOG_LIST

This property is used to set comma separated catalog names which access control should be managed by policysync. If you want to manage all catalogs then you can skip specifying this property. This supports wildcards as well. The ignore database list has precedence over manage database list. Eg. test_catalog1,test_catalog2,sales_*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_SCHEMA_LIST

This property is used to set comma separated schema Fqdn which access control should be managed by policysync. If you want to manage all schemas then you can skip specifying this property. This supports wildcards as well. The ignore schema list has precedence over manage schema list. Eg. test_catalog1.schema1,test_catalog2*.sales*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_TABLE_LIST

This property is used to set comma separated table/view Fqdn which access control should be managed by policysync. If you want to manage all tables/views then you can skip specifying this property. This supports wildcards as well. The ignore table list has precedence over manage table list. Eg. test_catalog1.schema1.table1,test_catalog2.schema2.view2,sales_catalog*.sales*.*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_FUNCTION_LIST

This property is used to set comma separated user defined function Fqdn which access control should be managed by policysync. If you want to manage all functions then you can skip specifying this property. This supports wildcards as well. The ignore function list has precedence over manage function list. Example: test_catalog1.schema1.function1,test_catalog2.schema2.function2,sales_catalog*.sales*.* **NOTE: values for this property are case-sensitive.

BASIC

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_EXTERNAL_LOCATION_LIST

This property is used to set comma separated exernal location names which access control should be managed by policysync. If you want to manage all external locations then you can skip specifying this property. This supports wildcards as well. The ignore external location list has precedence over manage external location list. Eg. external_location1,external_location2,sales_location*

BASIC

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_STORAGE_CREDENTIAL_LIST

This property is used to set comma separated storage credential names which access control should be managed by policysync. If you want to manage all storage credentials then you can skip specifying this property. This supports wildcards as well. The ignore storage credential list has precedence over manage storage credential list. Eg. storage_credential1,storage_credential2,sales_*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_CATALOG_LIST

This property is used to set comma separated catalog names which access control should be ignored by policysync. If you don't want to ignore any catalogs then you can skip specifying this property. This supports wildcards as well. This has precedence over manage catalog list. Eg. test_catalog1,test_catalog2,sales_*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_SCHEMA_LIST

This property is used to set comma separated schema Fqdn which access control should be ignored by policysync. If you don't want to ignore any schemas then you can skip specifying this property. This supports wildcards as well. This has precedence over manage schema list. Eg. test_catalog1.schema1,test_catalog2*.sales*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_TABLE_LIST

This property is used to set comma separated table/view Fqdn which access control should be ignored by policysync. If you don't want to ignore any tables/views then you can skip specifying this property. This supports wildcards as well. This has precedence over manage table list. Eg. test_catalog1.schema1.table1,test_catalog2.schema2.view2,sales_catalog*.sales*.*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_FUNCTION_LIST

This property is used to set comma separated user defined function Fqdn which access control should be ignored by policysync. If you don't want to ignore any functions then you can skip specifying this property. This supports wildcards as well. This has precedence over manage function list. Eg. test_catalog1.schema1.function1,test_catalog2.schema2.function2,sales_catalog*.sales*.*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_EXTERNAL_LOCATION_LIST

This property is used to set comma separated exernal location names which access control should be ignored by policysync. If you don't want to ignore any external locations then you can skip specifying this property. This supports wildcards as well. This has precedence over manage external location list. Eg. external_location1,external_location2,sales_location*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_STORAGE_CREDENTIAL_LIST

This property is used to set comma separated storage credential names which access control should be ignored by policysync. If you don't want to ignore any storage credentials then you can skip specifying this property. This supports wildcards as well. This has precedence over manage storage credential list. Eg. storage_credential1,storage_credential2,sales_*

Users/Groups/Roles management

ADVANCED

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

CONNECTOR_DATABRICKS_UNITY_CATALOG_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

ADVANCED

_

CONNECTOR_DATABRICKS_UNITY_CATALOG_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

ADVANCED

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

ADVANCED

_

CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

ADVANCED

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

ADVANCED

_

CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified group name regex property. If kept blank, no find and replace operation is performed.

ADVANCED

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

ADVANCED

_

CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified role name regex property. If kept blank, no find and replace operation is performed.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading user from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading group from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading role from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_CREATE_USER

This property controls whether we should create user in databricks sql endpoint for users fetched from ranger.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_CREATE_GROUP

This property controls whether we should create groups in databricks sql endpoint for groups and roles fetched from ranger.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUP_MEMBERS

This property controls whether we should update the members of groups in databricks based on their members in ranger.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USERS

This property controls whether we should create role in databricks sql endpoint for users fetched from ranger.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUPS

This property controls whether we should create role in databricks sql endpoint for groups fetched from ranger.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_ROLES

This property controls whether we should create role in databricks sql endpoint for roles fetched from ranger.

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USER_LIST

This property is used to set comma separated user names which access control should be managed by policysync. If you want to manage all users then you can skip specifying this property. This supports wildcards as well. The ignore users list has precedence over manage users list. Example: user1,user2,dev_user*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUP_LIST

This property is used to set comma separated group names which access control should be managed by policysync. If you want to manage all group then you can skip specifying this property. This supports wildcards as well. The ignore group list has precedence over manage group list. Example: group1,group2,dev_group*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_ROLE_LIST

This property is used to set comma separated role names which access control should be managed by policysync. If you want to manage all role then you can skip specifying this property. This supports wildcards as well. The ignore role list has precedence over manage role list. Example: role1,role2,dev_role*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_USER_LIST

This property is used to set comma separated user names which access control you don't want to be managed by policysync. If you don't want to ignore any users then you can skip specifying this property. This supports wildcards as well. This has precedence over manage users list. Example: user1,user2,dev_user*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_GROUP_LIST

This property is used to set comma separated group names which access control you don't want to be managed by policysync. If you don't want to ignore any groups then you can skip specifying this property. This supports wildcards as well. This has precedence over manage groups list. Example: group1,group2,dev_group*

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_IGNORE_ROLE_LIST

This property is used to set comma separated role names which access control you don't want to be managed by policysync. If you don't want to ignore any roles then you can skip specifying this property. This supports wildcards as well. This has precedence over manage roles list. Example: role1,role2,dev_role*

ADVANCED

priv_group_

CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in databricks sql endpoint for group from ranger. For example if you have group named dev in ranger and you have defined prefix as test_group_ then the role which we create for dev in databricks sql endpoint will have name test_group_dev.

This property does not exist for users because users are using emails instead of usernames to log in.

ADVANCED

priv_role_

CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in databricks sql endpoint for role from ranger. For example if you have role named finance in ranger and you have defined prefix as test_role_ then the role which we create for finance in databricks sql endpoint will have name test_role_finance.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_USE_NATIVE_PUBLIC_GROUP

Set this property to true, if you want PolicySync to use the "public" group in databricks for access grants whenever there is policy created referring to public group inside it.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USER_FILTERBY_GROUP

Set this property to true, if you want to manage only the users who belongs to the groups defined in manage groups list property.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_USER_FILTERBY_ROLE

Set this property to true, if you want to manage only the users who belongs to the roles defined in manage roles list property.

Access control management

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view based masking in databricks policysync.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view based tr filter in databricks policysync.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables as well all view which were created by end users. This will create secure view for resource regardless whether there any masking/tr filter policy exists in ranger.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_ROW_FILTER

This property controls whether to enable native tr filter policy creation functionality in policysync.

ADVANCED

false

CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_MASKING

This property controls whether to enable native masking policy creation functionality in policysync.

ADVANCED

view

CONNECTOR_DATABRICKS_UNITY_CATALOG_COLUMN_ACCESS_CONTROL_TYPE

This property is used to set the method of column level access control to be used by connector, it support below possible values native_masking - This enables column level access control using native masking, which means there will be native masking policy created on columns to restrict user/group/roles who don't have access. view - This enables view based column level access control, which means whatever the columns users not having the access they will see those columns as null in the secure view of table or secure view of native view.

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_NAME_POSTFIX

The secure view name is created by appending this value to actual table/view name. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_SCHEMA_NAME_PREFIX

The secure view schema name is created by prepending this value to actual table/view schema name. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

ADVANCED

_secure

CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_SCHEMA_NAME_POSTFIX

The secure view schema name is created by appending this value to actual table/view schema name. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_SECURE_VIEW_SPARK_PROPERTIES

When creating a secure view with the unity catalog api, the api does not set any spark properties for the view. If there are spark properties that you would like for the secure views to have when they are created, they can be specified here as a comma separated list.

BASIC

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on databricks sql endpoint.

ADVANCED

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_ENABLE_DATA_ADMIN

This property is used to enable data admin feature, with data admin feature enabled you can create all the policies on table/native view and by default respective grants will be made on secure view of table table or native view. And this secure view will have tr filter and masking capability as well. In case if you need permission on table then you can select the permission you want plus dataadmin in the policy, In this case that permissions will be granted on both, the table/native view and its secure view as well

Access audits management

BASIC

true

CONNECTOR_DATABRICKS_UNITY_CATALOG_AUDIT_ENABLE

This property enables fetching audit data from an external table that contains the audit data.

BASIC

CONNECTOR_DATABRICKS_UNITY_CATALOG_AUDIT_TABLE_PATH

Thi should be the path of the table that contains the audit data, for example catalog_name.schema_name.audit_table

ADVANCED

simple

CONNECTOR_DATABRICKS_UNITY_CATALOG_AUDIT_MODE

This can have 3 values: simple - gets Unity Catalog events and data access. verbose - gets Unity Catalog events, data access, and queries run on warehouses and notebooks. This requires verbose logging to be enabled on the workspace. workspace_api - loads query history from the query history api from the workspace. This is only for legacy support and should not be set.

ADVANCED

CONNECTOR_DATABRICKS_UNITY_CATALOG_AUDIT_WORKSPACE_IDS