Skip to main content

Privacera Documentation

Use DynamoDB with Data Access Server on Privacera Platform

You can control user access to DynamoDB resources on Privacera Platform.

DynamoDB table access control

You can allow users to perform actions on specific table and attribute.

  1. From the navigation menu, select Access Management > Resource Policies.

  2. On the Resource Policies page, click privacera_dynamodb > Add New Policy.

  3. Enter the following details.

    Label

    Description

    Policy Name

    Enter an appropriate policy name. This name is cannot be duplicated for the same Service type (DynamoDB). This field is mandatory.

    Policy Label

    Label/tag for the policy

    Table

    Select table(s) for which the policy will be applicable

    Attribute

    For the selected table(s), select attributes for which the policy will be applicable

    Audit Logging

    Choose whether the particular policy will be audited or not.

    Group Permission

    From a user group list, pick a particular group and choose permissions for that group.

    User Permission

    From a user list, pick a particular user and choose permissions for that user

    Include/Exclude

    The include flag means it will consider the values entered in the field. The default value is set as include. Exclude Flag will exclude all the table names or column names entered in that particular field.

    Enable/Disable

    By default, policy is enabled. You can disable a policy to restrict user/group access for that policy.

    Permission

    Description

    Read

    Allow the user to perform Query/Scan on specified table and attribute.

    Write

    Allow the user to perform put-item/delete-item on specified table and attribute.

    Create

    Allow the user to perform createTable.

    Delete

    Allow the user to perform deleteTable.

    ListTables

    Allow the user to perform list-tables.

    Admin

    Allow the user to perform ALL action on specified table/attribute.

  4. Click Save.

DynamoDB column-level access control

Create table query

Give a user permission to create DynamoDB tables.

  1. Create an Access Management policy to give the user CREATE permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: *

      • Attribute: *

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Create

  2. From a terminal prompt, create a table.

    aws dynamodb create-table --table-name customer_data --attribute-definitions AttributeName=id,AttributeType=S AttributeName=cust_name,AttributeType=S --key-schema AttributeName=id,KeyType=HASH AttributeName=cust_name,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
    • Options:

      • table-name: Table name

      • attribute-definitions: An array of attributes that describe the key schema for the table and indexes.

      • key-schema: Specifies the attributes that make up the primary key for a table or an index. The attributes in KeySchema must also be defined in the AttributeDefinitions array.

    The user can create DynamoDB tables.

List table query

Give a user permission to see a list of DynamoDB tables.

  1. Create an Access Management policy to give the user READ permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. Click privacera_dynamodb > Add New Policy.

    3. Enter the details.

      • Policy Name: DynamodbPolicy

      • Table: *

      • Attribute: * (Note: Column with * also works for Ex. *ssn)

      • Under Allow Conditions, click '+' and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Read

  2. From a terminal prompt, execute the following command to list tables.

    aws dynamodb list-tables
    

    The user will be able to see the list of tables.

PutItem table query

Enable a user to write data to a DynamoDB table.

  1. Create an Access Management policy to give the user WRITE permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. Click privacera_dynamodb > Add New Policy.

    3. Enter the details.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Write

  2. From a terminal prompt, execute the following command.

    aws dynamodb put-item --table-name customer_data --item '{"id": {"S": "149"},"cust_name": {"S": "Joshua"},"ssn":{"S":"259636168"}, "email_address":{"S":"garybutler@gmail.com"}, "address":{"S":"70448 Scott Ranch Suite 312"}}' --return-consumed-capacity TOTAL                   

    The user can write items to the table.

PutItems table query

Give a user permission to write items to a DynamoDB table.

  1. Download the sample data to put in the table.

    wget https://privacera-demo.s3.amazonaws.com/public/sample_data/dynamodb/customer_data.json
    
  2. Create an Access Manager policy to give the user Write permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. On the Resource Policies page, go to privacera_dynamodb and then click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Write

  3. Run a batch write query.

    aws dynamodb batch-write-item --request-items file://customer_data.json
    

    The user can write multiple objects to the table.

Select table queries

Give a user permission to read from a DynamoDB table.

  1. Create an Access Management policy to give the user READ permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. In privacera_dynamodb click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: id, name, email_address, ssn

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Read

  2. From a terminal prompt, execute a read query.

    aws dynamodb query --table-name customer_data  --projection-expression "id, cust_name, email_address, address" --key-condition-expression "id = :a1" --expression-attribute-values '{":a1": {"S": "149"}}'                     

    The user can now read from the table.

GetItem/Scan table query

Give a user permission to get or scan files from a DynamoDB table.

  1. Create an Access Manager policy to give the user READ permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Read

  2. From a terminal prompt, execute a get or scan query.

    aws dynamodb get-item --table-name customer_data --key '{"id": {"S": "149"},"cust_name": {"S": "Joshua"}}'                       

    Or

    aws dynamodb scan --table-name customer_data                     

    The user can get and scan items from the DynamoDB table.

DeleteItem table query

Give a user permission to delete items from a DynamoDB table.

  1. Create an Access Management policy to give the user DELETE permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Delete

  2. From a terminal prompt, delete an item.

    aws dynamodb delete-item --table-name customer_data --key '{"id": {"S": "149"},"cust_name": {"S": "Joshua"}}'                        

    The user can delete items.

Delete table query

Give a user permission to delete a DynamoDB table.

  1. Create an Access Management policy to give the user DELETE permission.

    1. From the navigation menu, select Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' icon and select the below:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Delete

  2. From a terminal prompt, delete a table.

    aws dynamodb delete-table --table-name customer_data

    The user can delete a DynamoDB table.