Skip to main content

Privacera Documentation

Write your first policy

By default in Privacera, your data is not accessible. You can define data access policies that permit only authorized users to access your data. When you define a policy, you apply it to a particular Privacera-connected system that holds your data.

Privacera has several different kinds of policies, such as tag policies and resource policies. Creating resource policies is detailed here, because they are the most basic and easiest to create.

Prerequisites

Before you write a policy, you need to determine the following:

  • Which connected application are you protecting?

    This example works with Databricks.

    Your account administrator has connected Databricks SQL.

  • Which data in the application?

    This example relies on TPC DS. The table involved is CUSTOMER.

  • Which users are you giving access?

    This example gives access to a user named Emily (with username emily).

Enable access to entire table for a user

Your users need access to the TPC DS CUSTOMER table. They are currently prevented from seeing it. By default in Privacera, your data is not accessible.

UC-dbxsql-error.png

The Privacera audit log also shows that they do not have access:

UC-dbxsql-auditerror.png

You need to create a resource policy in Privacera that gives Emily all access to the CUSTOMER table.

In this example, you should have the following information ready:

  • Name of the user to give access to

  • Name of the database

  • Name of the table

  • Name of the column

Create a policy to give a user access to a table
  1. In Privacera, expand Access Management and click Resource Policies.

  2. Under DATABRICKS_SQL_ANALYTICS, click the privacera_databricks_sql_analytics link.

    databricks_sql_analytics_policy_repo.png

    Lists of policies are displayed on following tabs:

    • ACCESS

    • MASKING

    • ROW LEVEL FILTER

  3. On the ACCESS tab, click Add New Policy.

    The Policy Detail page is displayed.

  4. Enter a unique policy name.

    Enabled/Disabled: Accept the default, which is Enabled.

    Normal/Override: Accept the default, which is Normal.

  5. Enter a descriptive policy label that helps you find this policy when searching for policies and filtering policy lists.

  6. From the global pulldown, select database.

  7. Enter the required database name.

    This example uses tpcds.

  8. Enter the required table name.

    In this example, we apply policy to the CUSTOMER table.

  9. Enter the required column names.

    Because this policy is to give access to the entire table, this example uses the * wildcard, which indicates all columns.

    UC-dbxsql-1emily_access_policy.png
  10. Ignore Add Conditions.

  11. Enter a description of the policy to identify it among other policies.

  12. Enable/disable Audit Logging: Accept the default, which is Yes.

  13. In the Allow Conditions section, under Select User, enter the name of the user and add permissions for that user. This example is for user emily and all permissions.

    UC-dbxsql-2emily_permissions.png
  14. Click Save to complete the new policy.

Verify the policy in Databricks SQL

To see if the policy has been applied, log in to the database and enter the following SQL command:

select * from tpcds.customer      

The results show success. The entire table is now visible.

UC-dbxsql-success.png

The Privacera audit log also shows success:

UC-dbxsql-3auditsuccess.png