Skip to main content

Privacera Documentation

PrivaceraCloud data access methods

You can connect data repositories to PrivaceraCloud by configuring connectors to applications.

PrivaceraCloud uses three different data access methods:

  • Data Access Server

  • PolicySync

  • Plug-in

The appropriate method depends on several factors, including the type of data resource and the type and level of control required.

When the corresponding service is activated, Privacera creates a corresponding resource service and service group in Resource policies.

For each created resource service, Privacera creates a default set of resource policies. This includes an all access default policy. You can create and define additional policies in Resource policies.

Data Access Server integration method

The Data Access Server integration method redirects data access requests to a Privacera data authentication broker inserted into the control and data flow. A maximum of one Data Access Server can be enabled at any time.

The Data Access Server syncs Apache Ranger access policies at 5 second intervals.

PolicySync integration method

A PolicySync integration works by mapping resource policies defined in PrivaceraCloud to the native access controls functions provided by the target data repository system.

This approach is used for data repository systems providing a sufficient native level of data control.

PrivaceraCloud supports multiple concurrent PolicySync connections but only one PolicySync connector of each data resource type.

PolicySync syncs Apache Ranger access policies at 3 second intervals by default, and this interval is configurable per PolicySync connector. In addition to the sync interval, PolicySync reconciles any access policy changes with the data source, and this requires additional time that varies with the complexity of the reconciliation required, such as adding and removing grants.

Plug-in integration method

Databricks Spark, EMR PrestoDB, and EMR Hive have built-in support for external authentication using plug-in architecture.

Privacera inserts itself into the Databricks or EMR authentication control flow using a plug-in module. Authentication for data access requests are directed to the PrivaceraCloud plug-in component by the repository system itself.

For the following plug-ins, the sync interval for retrieving Apache Ranger policies applies:

  • Databricks fine-grained access control (FGAC) plug-in: 3 seconds

  • Amazon EMR Presto plug-in: 2 seconds

  • Amazon EMR Hive plug-in: 2 seconds

Each PrivaceraCloud allows multiple concurrent plug-in connections. This method is used to: