PolicySync
The following table contains the list of custom properties that can be configured for PolicySync connectors. To use a custom property from the table, just add it to the following YML file in the custom-vars folder configured as per your environment:
- vars.policysync.snowflake.yml
- vars.policysync.postgres.yml
- vars.policysync.mssql.yml
- vars.policysync.redshift.yml
- vars.policysync.databricks.sql.analytics.yml
- vars.policysync.bigquery.yml
- vars.policysync.powerbi.yml
| Property | Description | Values | Default Value |
|---|---|---|---|
POLICYSYNC_IMAGE_NAME |
Mention the PolicySync image name. | ||
POLICYSYNC_IMAGE_TAG |
Mention the PolicySync image tag. | ||
POLICYSYNC_ENABLE |
Enable PolicySync. | true/false |
false |
Common
| Property | Description | Values | Default Value |
|---|---|---|---|
|
|
After loading user/group/roles from Apache Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Apache Ranger. When setting this value to |
|
|
|
|
This property specifies the size of the PolicySync deployment. | SMALL, MEDIUM or LARGE |
|
| Memory Variables | |||
POLICYSYNC_HEAP_MIN_MEMORY_MB |
Minimum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MIN_MEMORY_MB: "1024" |
Depends upon DEPLOYMENT_SIZE If DEPLOYMENT_SIZE property value is MEDIUM then the memory is 8192If DEPLOYMENT_SIZE property value is LARGE then the memory is 32768 |
|
POLICYSYNC_HEAP_MIN_MEMORY |
Minimum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MIN_MEMORY_MB.For example, POLICYSYNC_HEAP_MIN_MEMORY: "1g" |
POLICYSYNC_HEAP_MIN_MEMORY_MB |
|
POLICYSYNC_HEAP_MAX_MEMORY_MB |
Maximum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MAX_MEMORY_MB: "1024" |
Depends upon DEPLOYMENT_SIZE If DEPLOYMENT_SIZE property value is SMALL then the memory is 2048If DEPLOYMENT_SIZE property value is MEDIUM then the memory is 8192If DEPLOYMENT_SIZE property value is LARGE then the memory is 32768 |
|
POLICYSYNC_HEAP_MAX_MEMORY |
Maximum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MAX_MEMORY_MB. For example, POLICYSYNC_HEAP_MAX_MEMORY: "1g" |
||
POLICYSYNC_K8S_MEM_REQUESTS_MB |
Minimum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_REQUESTS_MB: "1024" |
||
POLICYSYNC_K8S_MEM_REQUESTS |
Minimum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_REQUESTS_MB.For example, POLICYSYNC_K8S_MEM_REQUESTS: "1G" |
||
POLICYSYNC_K8S_MEM_LIMITS_MB |
Maximum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_LIMITS_MB: "1024" |
||
POLICYSYNC_K8S_MEM_LIMITS |
Maximum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_LIMITS_MB. For example, POLICYSYNC_K8S_MEM_LIMITS: "1G" |
POLICYSYNC_K8S_MEM_LIMITS_MB |
|
POLICYSYNC_CPU_MIN |
Minimum amount of Kubernetes CPU to be requested by PolicySync. For example, POLICYSYNC_CPU_MIN: "0.5" |
Depends upon DEPLOYMENT_SIZE If DEPLOYMENT_SIZE property value is MEDIUM then the CPU required is 4If DEPLOYMENT_SIZE property value is LARGE then the CPU required is 8 |
|
POLICYSYNC_CPU_MAX |
Maximum amount of Kubernetes CPU to be used by PolicySync. For example, POLICYSYNC_CPU_MAX: "0.5" |
Depends upon DEPLOYMENT_SIZE If DEPLOYMENT_SIZE property value is SMALL then the CPU required is If DEPLOYMENT_SIZE property value is MEDIUM then the CPU required is 4If DEPLOYMENT_SIZE property value is LARGE then the CPU required is 8 |
Connectors Global Properties
Snowflake Connector
JDBC configuration
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_JDBC_URL |
string |
|
Yes | Specifies the JDBC URL for the Snowflake connector. |
SNOWFLAKE_JDBC_USERNAME |
string |
|
Yes | Specifies the JDBC username to use. |
SNOWFLAKE_JDBC_PASSWORD |
string |
|
Yes | Specifies the JDBC password to use. |
SNOWFLAKE_USE_KEY_PAIR_AUTHENTICATION |
boolean |
false
|
Yes | Specifies whether PolicySync uses key-pair authentication. Set this property to |
SNOWFLAKE_JDBC_PRIVATE_KEY_FILE_NAME |
string |
|
No | Specifies the file name of the private key that PolicySync uses for key-pair authentication. This file is placed in the Specify this setting only if |
SNOWFLAKE_JDBC_PRIVATE_KEY_PASSWORD |
string |
|
No | Specifies the password for the private key. If the private key does not have a password, do not specify this setting. Specify this setting only if |
SNOWFLAKE_WAREHOUSE_TO_USE |
string |
|
Yes | Specifies the JDBC warehouse that PolicySync establishes a connection to, which is used to run SQL queries. |
SNOWFLAKE_ROLE_TO_USE |
string |
|
Yes | Specifies the role that PolicySync uses when it runs SQL queries. |
JDBC_MAX_POOL_SIZE |
integer |
15
|
No | Specifies the maximum size for the JDBC connection pool. |
JDBC_MIN_IDLE_CONNECTION |
integer |
3
|
No | Specifies the minimum size of the JDBC connection pool. |
JDBC_LEAK_DETECTION_THRESHOLD |
string |
900000L
|
No | Specifies the duration in milliseconds that a connection is not part of the connection pool before PolicySync logs a possible connection leak message. If set to |
Resource management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_OWNER_ROLE |
string |
|
No | Specifies the role that owns the resources managed by PolicySync. You must ensure that this user exists as PolicySync does not create this user.
The following resource types are supported:
|
SNOWFLAKE_HANDLE_PIPE_OWNERSHIP |
boolean |
false
|
No | Specifies whether PolicySync changes the ownership of a pipe to the role specified by |
SNOWFLAKE_MANAGE_WAREHOUSE_LIST |
string |
|
No | Specifies a comma-separated list of warehouse names for which PolicySync manages access control. If unset, access control is managed for all warehouses. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of warehouses might resemble the following: |
SNOWFLAKE_MANAGE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names for which PolicySync manages access control. If unset, access control is managed for all databases. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of databases might resemble the following: If specified, |
SNOWFLAKE_MANAGE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a schema:
If specified, If you specify a wildcard, such as in the following example, all schemas are managed:
The specified value, if any, is interpreted in the following ways:
|
SNOWFLAKE_MANAGE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a table: If specified, If you specify a wildcard, such as in the following example, all matched tables are managed:
The specified value, if any, is interpreted in the following ways:
|
SNOWFLAKE_MANAGE_STREAM_LIST |
string |
|
No | Specifies a comma-separated list of stream names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of streams might resemble the following: If unset, access control is managed for all streams. |
SNOWFLAKE_MANAGE_FUNCTION_LIST |
string |
|
No | Specifies a comma-separated list of function names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of functions might resemble the following: If unset, access control is managed for all functions. |
SNOWFLAKE_MANAGE_PROCEDURE_LIST |
string |
|
No | Specifies a comma-separated list of procedure names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of procedures might resemble the following: If unset, access control is managed for all procedures. |
SNOWFLAKE_MANAGE_SEQUENCE_LIST |
string |
|
No | Specifies a comma-separated list of sequence names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of sequences might resemble the following: If unset, access control is managed for all sequences. |
SNOWFLAKE_MANAGE_FILE_FORMAT_LIST |
string |
|
No | Specifies a comma-separated list of file format names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of file formats might resemble the following: If unset, access control is managed for all file formats. |
SNOWFLAKE_MANAGE_PIPE_LIST |
string |
|
No | Specifies a comma-separated list of pipe names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of pipes might resemble the following: If unset, access control is managed for all pipes. |
SNOWFLAKE_MANAGE_EXTERNAL_STAGE_LIST |
string |
|
No | Specifies a comma-separated list of external stage names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of external stages might resemble the following: If unset, access control is managed for all external stages. |
SNOWFLAKE_MANAGE_INTERNAL_STAGE_LIST |
string |
|
No | Specifies a comma-separated list of internal stages names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. An example list of internal stages might resemble the following: If unset, access control is managed for all internal stages. |
SNOWFLAKE_IGNORE_WAREHOUSE_LIST |
string |
|
No | Specifies a comma-separated list of warehouse names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all warehouses are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_DATABASE_LIST |
string |
DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA
|
No | Specifies a comma-separated list of database names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all databases are subject to access control. For example: This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_SCHEMA_LIST |
string |
*.INFORMATION_SCHEMA
|
No | Specifies a comma-separated list of schema names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all schemas are subject to access control. For example: This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Specify tables using the following format: This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_STREAM_LIST |
string |
|
No | Specifies a comma-separated list of stream names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all streams are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_FUNCTION_LIST |
string |
|
No | Specifies a comma-separated list of functions names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all functions are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_PROCEDURE_LIST |
string |
|
No | Specifies a comma-separated list of procedures names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all procedures are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_SEQUENCE_LIST |
string |
|
No | Specifies a comma-separated list of sequences names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all sequences are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_FILE_FORMAT_LIST |
string |
|
No | Specifies a comma-separated list of file format names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all file formats are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_PIPE_LIST |
string |
|
No | Specifies a comma-separated list of pipes names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all pipes are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_EXTERNAL_STAGE_LIST |
string |
|
No | Specifies a comma-separated list of external stage names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all external stages are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_INTERNAL_STAGE_LIST |
string |
|
No | Specifies a comma-separated list of internal stage names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all internal stages are subject to access control. This setting supersedes any values specified by |
User, group, and role creation
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_CREATE_USER |
boolean |
true
|
No | Specifies whether PolicySync creates local users for each user in Privacera. |
SNOWFLAKE_CREATE_USER_ROLE |
boolean |
true
|
No | Specifies whether PolicySync creates local roles for each user in Privacera. |
SNOWFLAKE_USER_LOGIN_NAME_USE_EMAIL |
boolean |
false
|
No | Specifies whether PolicySync uses the user email address as the login name when creating a new user in Snowflake. |
SNOWFLAKE_DEFAULT_USER_PASSWORD |
string |
|
Yes | Specifies the password to use when PolicySync creates new users. |
SNOWFLAKE_ENTITY_ROLE_PREFIX |
string |
priv_
|
No | |
SNOWFLAKE_USER_ROLE_PREFIX |
string |
No | Specifies the prefix that PolicySync uses when creating local users. For example, if you have a user named |
|
SNOWFLAKE_GROUP_ROLE_PREFIX |
string |
No | Specifies the prefix that PolicySync uses when creating local roles. For example, if you have a group named |
|
SNOWFLAKE_ROLE_ROLE_PREFIX |
string |
No | Specifies the prefix that PolicySync uses when creating roles from Privacera in the Snowflake data source. For example, if you have a role in Privacera named |
|
SNOWFLAKE_MANAGE_ENTITIES |
boolean |
true
|
No | |
SNOWFLAKE_MANAGE_USERS |
boolean |
No | Specifies whether PolicySync maintains user membership in roles in the Snowflake data source. |
|
SNOWFLAKE_MANAGE_GROUPS |
boolean |
No | Specifies whether PolicySync creates groups from Privacera in the Snowflake data source. |
|
SNOWFLAKE_MANAGE_ROLES |
boolean |
No | Specifies whether PolicySync creates roles from Privacera in the Snowflake data source. |
|
SNOWFLAKE_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
SNOWFLAKE_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
SNOWFLAKE_MANAGE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names for which PolicySync manages access control. If unset, access control is managed for all roles. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
SNOWFLAKE_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_IGNORE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all roles are subject to access control. This setting supersedes any values specified by |
SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
SNOWFLAKE_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a role name and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
SNOWFLAKE_USER_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts user names to lowercase when creating local users. If set to |
SNOWFLAKE_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to |
SNOWFLAKE_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts role names to lowercase when creating local roles. If set to |
SNOWFLAKE_USER_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how user name conversions are performed. The following options are valid:
This setting applies only if |
SNOWFLAKE_GROUP_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how group name conversions are performed. The following options are valid:
This setting applies only if |
SNOWFLAKE_ROLE_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how role name conversions are performed. The following options are valid:
This setting applies only if |
SNOWFLAKE_USER_FILTER_WITH_EMAIL |
boolean |
false
|
No | Set this property to true if you only want to manage users who have an email address associated with them in the portal. |
SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE |
boolean |
false
|
No | Specifies whether to manage only users that are members of the roles specified by |
SNOWFLAKE_USER_ROLE_USE_UPPERCASE |
boolean |
false
|
No | Specifies whether PolicySync converts a user role name to uppercase when performing operations. |
SNOWFLAKE_GROUP_ROLE_USE_UPPERCASE |
boolean |
false
|
No | Specifies whether PolicySync converts a group name to uppercase when performing operations. |
SNOWFLAKE_ROLE_ROLE_USE_UPPERCASE |
boolean |
false
|
No | Specifies whether PolicySync converts a role name to uppercase when performing operations. |
Grant updates
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_GRANT_UPDATES |
boolean |
true
|
No | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
|
string |
|
No | Specifies whether PolicySync applies grants and revokes in batches. If enabled, this behavior improves overall performance of applying permission changes. |
SNOWFLAKE_GRANT_UPDATES_MAX_RETRY_ATTEMPTS |
integer |
2
|
No | Specifies the maximum number of attempts that PolicySync makes to execute a grant query if it is unable to do so successfully. The default value is |
SNOWFLAKE_ENABLE_PRIVILEGES_BATCHING |
boolean |
false
|
No | Specifies whether PolicySync applies privileges described in Access Manager policies. |
Column level access control
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION |
boolean |
true
|
No | Specifies whether an access denied exception is displayed if a user does not have access to a table column and attempts to access that column. If enabled, you must set |
Native masking
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_ENABLE_MASKING |
boolean |
true
|
No | Specifies whether PolicySync enables native masking policy creation functionality. |
SNOWFLAKE_MASKING_POLICY_DB_NAME |
string |
No | Specifies the name of the database where PolicySync creates custom masking policies. |
|
SNOWFLAKE_MASKING_POLICY_SCHEMA_NAME |
string |
PUBLIC
|
No | Specifies the name of the schema where PolicySync creates all native masking policies. If not specified, the resource schema is used as the masking policy schema. |
SNOWFLAKE_MASKING_POLICY_NAME_TEMPLATE |
string |
{database}{separator}{schema}{separator}{table}
|
No | Specifies a naming template that PolicySync uses when creating native masking policies. For example, given the following values:
With the default naming template, the following name is used when creating a native masking policy. The |
Native row filter
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_ENABLE_ROW_FILTER |
boolean |
true
|
No | Specifies whether to use the data source native row filter functionality. This setting is disabled by default. When enabled, you can create row filters only on tables, but not on views. |
SNOWFLAKE_ROW_FILTER_POLICY_DB_NAME |
string |
|
No | Specifies the name of the database where PolicySync creates native row-filter policies. If not specified, the resource database is considered the same as the row-filter policy database. |
SNOWFLAKE_ROW_FILTER_POLICY_SCHEMA_NAME |
string |
PUBLIC
|
No | Specifies the name of the schema where PolicySync creates all native row-filter policies. If not specified, the resource schema is considered the same as the row-filter policy schema. |
SNOWFLAKE_ROW_FILTER_POLICY_NAME_TEMPLATE |
string |
{database}{separator}{schema}{separator}{table}
|
No | Specifies a template for the name that PolicySync uses when creating a row filter policy. For example, given a table |
View based masking/row filter
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_ENABLE_VIEW_BASED_ROW_FILTER |
boolean |
false
|
No | Specifies whether to use secure view based row filtering. The default value is While Snowflake supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended. |
SNOWFLAKE_ENABLE_VIEW_BASED_MASKING |
boolean |
false
|
No | Specifies whether to use secure view based masking. The default value is |
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_PREFIX |
string |
|
No | Specifies a prefix string to apply to a secure schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_POSTFIX |
string |
|
No | Specifies a postfix string to apply to a secure view schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
SNOWFLAKE_SECURE_VIEW_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
SNOWFLAKE_SECURE_VIEW_NAME_POSTFIX |
string |
_SECURE
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a schema name. For example, if a schema is named You can specify a single suffix or a comma separated list of suffixes. |
SNOWFLAKE_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a table or view name. For example, if the table is named You can specify a single suffix or a comma separated list of suffixes. |
SNOWFLAKE_SECURE_VIEW_CREATE_FOR_ALL |
boolean |
false
|
No | Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled. |
Masking/Row filter policy name separator
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_POLICY_NAME_SEPARATOR |
string |
_PRIV_
|
No | Specifies a string to use as part of the name of native row filter and masking policies. |
SNOWFLAKE_ROW_FILTER_ALIAS_TOKEN |
string |
obj
|
No | Specifies an identifier that PolicySync uses to identify columns from the main table and parse each correctly. |
Masked Value for Masking
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_MASKED_NUMBER_VALUE |
integer |
0
|
No | Specifies the default masking value for numeric column types. |
SNOWFLAKE_MASKED_DOUBLE_VALUE |
integer |
0
|
No | Specifies the default masking value for |
SNOWFLAKE_MASKED_TEXT_VALUE |
string |
<MASKED>
|
No | Specifies the default masking value for text and string column types. |
POLICYSYNC_V2_MASKED_DATE_VALUE |
string |
|
No | Specifies the default masking value for date column types. |
PEG integration
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_PEG_FUNCTION_DB |
string |
No | Specifies the name of the database where the PEG encryption functions reside. |
|
SNOWFLAKE_PEG_FUNCTION_SCHEMA |
string |
public
|
No | Specifies the schema name where the PEG encryption functions reside. |
Load sql queries from system config json file
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_LOAD_RESOURCES_KEY |
string |
load_md_from_account_columns
|
No | Specifies how PolicySync loads resources from Snowflake. The following values are allowed:
|
Audit integration
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_AUDIT_ENABLE |
boolean |
true
|
Yes | Specifies whether Privacera fetches access audit data from the data source. |
SNOWFLAKE_ENABLE_AUDIT_SOURCE_SIMPLE |
boolean |
true
|
No | Specifies whether to enable simple auditing. When enabled, PolicySync gathers the following audit information from the database:
If you enabled this setting, do not enable |
SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE |
boolean |
false
|
No | Specifies whether to enable advanced auditing. When enabled, PolicySync gathers the following audit information from the database:
If you enabled this setting, do not enable |
SNOWFLAKE_AUDIT_ENABLE_RESOURCE_FILTER |
boolean |
No | Specifies whether PolicySync filters access audit information by managed resources, such as databases, schemas, and so forth. |
|
SNOWFLAKE_AUDIT_INITIAL_PULL_MINUTES |
string |
30
|
No | Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Snowflake. |
SNOWFLAKE_AUDIT_SOURCE_ADVANCE_DB_NAME |
string |
PRIVACERA_ACCESS_LOGS_DB
|
No | Specifies the database that PolicySync retrieves access audits from. This setting applies only if you set |
Load intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
SNOWFLAKE_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
SNOWFLAKE_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
SNOWFLAKE_PERMISSION_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
SNOWFLAKE_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Miscellaneous
| Name | Type | Default | Required | Description |
|---|
Microsoft SQL Connector
JDBC configuration properties
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
MSSQL_JDBC_URL |
string |
|
Yes | Specifies the JDBC URL for the Microsoft SQL Server connector. Use the following format for the JDBC string: |
MSSQL_JDBC_USERNAME |
string |
|
Yes | Specifies the JDBC username to use. |
MSSQL_JDBC_PASSWORD |
string |
|
Yes | Specifies the JDBC password to use. |
MSSQL_MASTER_DB |
string |
master
|
Yes | Specifies the name of the JDBC master database that PolicySync establishes an initial connection to. |
MSSQL_AUTHENTICATION_TYPE |
string |
SqlPassword
|
Yes | Specifies the authentication type for the database engine. The following types are supported:
|
MSSQL_DEFAULT_USER_PASSWORD |
string |
|
Yes | Specifies the password to use when PolicySync creates new users. |
MSSQL_OWNER_ROLE |
string |
|
No | Specifies the role that owns the resources managed by PolicySync. You must ensure that this user exists as PolicySync does not create this user.
The following resource types are supported:
|
Load keys and intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
MSSQL_LOAD_RESOURCES_KEY |
string |
load_from_database_columns
|
No | Specifies how PolicySync loads resources from Microsoft SQL Server. The following values are allowed:
|
MSSQL_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
MSSQL_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
MSSQL_PERMISSION_SYNC_INTERVAL |
integer |
540
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
MSSQL_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
MSSQL_MANAGE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names for which PolicySync manages access control. If unset, access control is managed for all databases. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of databases might resemble the following: If specified, |
MSSQL_MANAGE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a schema:
If specified, If you specify a wildcard, such as in the following example, all schemas are managed:
The specified value, if any, is interpreted in the following ways:
|
MSSQL_MANAGE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a table: If specified, If you specify a wildcard, such as in the following example, all matched tables are managed:
The specified value, if any, is interpreted in the following ways:
|
MSSQL_IGNORE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all databases are subject to access control. For example: This setting supersedes any values specified by |
MSSQL_IGNORE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all schemas are subject to access control. For example: This setting supersedes any values specified by |
MSSQL_IGNORE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Specify tables using the following format: This setting supersedes any values specified by |
Users/Groups/Roles management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
MSSQL_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
MSSQL_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
MSSQL_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
MSSQL_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
MSSQL_ROLE_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a role name and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
MSSQL_ROLE_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
MSSQL_USER_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts user names to lowercase when creating local users. If set to |
MSSQL_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to |
MSSQL_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts role names to lowercase when creating local roles. If set to |
MSSQL_USER_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how user name conversions are performed. The following options are valid:
This setting applies only if |
MSSQL_GROUP_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how group name conversions are performed. The following options are valid:
This setting applies only if |
MSSQL_ROLE_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how role name conversions are performed. The following options are valid:
This setting applies only if |
MSSQL_USER_FILTER_WITH_EMAIL |
string |
|
No | Set this property to true if you only want to manage users who have an email address associated with them in the portal. |
MSSQL_MANAGE_USERS |
boolean |
false
|
No | Specifies whether PolicySync maintains user membership in roles in the Microsoft SQL Server data source. |
MSSQL_MANAGE_GROUPS |
boolean |
false
|
No | Specifies whether PolicySync creates groups from Privacera in the Microsoft SQL Server data source. |
MSSQL_MANAGE_ROLES |
boolean |
false
|
No | Specifies whether PolicySync creates roles from Privacera in the Microsoft SQL Server data source. |
MSSQL_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
MSSQL_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
MSSQL_MANAGE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names for which PolicySync manages access control. If unset, access control is managed for all roles. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
MSSQL_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
MSSQL_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
MSSQL_IGNORE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all roles are subject to access control. This setting supersedes any values specified by |
MSSQL_USER_ROLE_PREFIX |
string |
priv_user_
|
No | Specifies the prefix that PolicySync uses when creating local users. For example, if you have a user named |
MSSQL_GROUP_ROLE_PREFIX |
string |
priv_group_
|
No | Specifies the prefix that PolicySync uses when creating local roles. For example, if you have a group named |
MSSQL_ROLE_ROLE_PREFIX |
string |
priv_role_
|
No | Specifies the prefix that PolicySync uses when creating roles from Privacera in the Microsoft SQL Server data source. For example, if you have a role in Privacera named |
MSSQL_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether PolicySync uses the Microsoft SQL Server native public group for access grants whenever a policy refers to a public group. The default value is false. |
MSSQL_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
MSSQL_MANAGE_USER_FILTERBY_ROLE |
boolean |
false
|
No | Specifies whether to manage only users that are members of the roles specified by |
Native Row filter
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
MSSQL_ENABLE_ROW_FILTER |
boolean |
true
|
No | Specifies whether to use the data source native row filter functionality. This setting is disabled by default. When enabled, you can create row filters only on tables, but not on views. |
MSSQL_ENABLE_VIEW_BASED_MASKING |
boolean |
true
|
No | Specifies whether to use secure view based masking. The default value is |
MSSQL_ENABLE_VIEW_BASED_ROW_FILTER |
boolean |
false
|
No | Specifies whether to use secure view based row filtering. The default value is While Microsoft SQL Server supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended. |
MSSQL_SECURE_VIEW_CREATE_FOR_ALL |
boolean |
false
|
No | Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled. |
MSSQL_MASKED_NUMBER_VALUE |
integer |
0
|
No | Specifies the default masking value for numeric column types. |
MSSQL_MASKED_TEXT_VALUE |
string |
<MASKED>
|
No | Specifies the default masking value for text and string column types. |
MSSQL_MASKED_DATE_VALUE |
string |
null
|
No | Specifies the default masking value for date column types. |
MSSQL_SECURE_VIEW_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
MSSQL_SECURE_VIEW_NAME_POSTFIX |
string |
_secure
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
MSSQL_SECURE_VIEW_SCHEMA_NAME_PREFIX |
string |
|
No | Specifies a prefix string to apply to a secure schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
MSSQL_SECURE_VIEW_SCHEMA_NAME_POSTFIX |
string |
|
No | Specifies a postfix string to apply to a secure view schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
MSSQL_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a table or view name. For example, if the table is named You can specify a single suffix or a comma separated list of suffixes. |
MSSQL_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a schema name. For example, if a schema is named You can specify a single suffix or a comma separated list of suffixes. |
MSSQL_GRANT_UPDATES |
boolean |
true
|
Yes | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
MSSQL_GRANT_UPDATES_MAX_RETRY_ATTEMPTS |
integer |
2
|
No | Specifies the maximum number of attempts that PolicySync makes to execute a grant query if it is unable to do so successfully. The default value is |
MSSQL_ENABLE_DATA_ADMIN |
boolean |
true
|
No | This property is used to enable the data admin feature. With this feature enabled you can create all the policies on native tables/views, and respective grants will be made on the secure views of those native tables/views. These secure views will have row filter and masking capability. In case you need to grant permission on the native tables/views then you can select the permission you want plus data admin in the policy. Then those permissions will be granted on both the native table/view as well as its secure view. |
Access audits management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
MSSQL_AUDIT_ENABLE |
boolean |
false
|
Yes | Specifies whether Privacera fetches access audit data from the data source. If specified, you must specify a value for the |
MSSQL_AUDIT_STORAGE_URL |
string |
|
No | Specifies the URL for the audit logs provided by the Azure SQL Auditing service. For example: |
MSSQL_AUDIT_INITIAL_PULL_MINUTES |
integer |
30
|
No | Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Microsoft SQL Server. |
MSSQL_AUDIT_LOAD_KEY |
string |
load
|
No | Specifies the method that PolicySync uses to load access audit information. The following values are valid:
|
MSSQL_USER_LOAD_KEY |
string |
load
|
No | Specifies how PolicySync loads users from Microsoft SQL Server. The following values are valid:
|
MSSQL_EXTERNAL_USER_AS_INTERNAL |
boolean |
false
|
No | Specifies whether PolicySync creates local users for external users. |
MSSQL_MANAGE_GROUP_POLICY_ONLY |
boolean |
false
|
No | Specifies whether access policies apply to only groups. If enabled, any policies that apply to users or roles are ignored. |
PostgreSQL Connector
JDBC configuration
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_JDBC_URL |
string |
|
Yes | Specifies the JDBC URL for the PostgreSQL connector. Use the following format for the JDBC string: |
POSTGRES_JDBC_USERNAME |
string |
|
Yes | Specifies the JDBC username to use. |
POSTGRES_JDBC_PASSWORD |
string |
|
Yes | Specifies the JDBC password to use. |
POSTGRES_JDBC_DB |
string |
privacera_db
|
Yes | Specifies the name of the JDBC database to use. |
POSTGRES_DEFAULT_USER_PASSWORD |
string |
|
Yes | Specifies the password to use when PolicySync creates new users. |
POSTGRES_OWNER_ROLE |
string |
|
No | Specifies the role that owns the resources managed by PolicySync. You must ensure that this user exists as PolicySync does not create this user.
The following resource types are supported:
|
Load keys and intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_LOAD_RESOURCES_KEY |
string |
load_from_database_columns
|
No | Specifies how PolicySync loads resources from PostgreSQL. The following values are allowed:
|
POSTGRES_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
POSTGRES_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
POSTGRES_PERMISSION_SYNC_INTERVAL |
integer |
540
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
POSTGRES_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_MANAGE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names for which PolicySync manages access control. If unset, access control is managed for all databases. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of databases might resemble the following: If specified, |
POSTGRES_MANAGE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a schema:
If specified, If you specify a wildcard, such as in the following example, all schemas are managed:
The specified value, if any, is interpreted in the following ways:
|
POSTGRES_MANAGE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a table: If specified, If you specify a wildcard, such as in the following example, all matched tables are managed:
The specified value, if any, is interpreted in the following ways:
|
POSTGRES_IGNORE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all databases are subject to access control. For example: This setting supersedes any values specified by |
POSTGRES_IGNORE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all schemas are subject to access control. For example: This setting supersedes any values specified by |
POSTGRES_IGNORE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Specify tables using the following format: This setting supersedes any values specified by |
Users/Groups/Roles management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
POSTGRES_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
POSTGRES_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a role name and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
POSTGRES_ROLE_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
POSTGRES_USER_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts user names to lowercase when creating local users. If set to |
POSTGRES_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to |
POSTGRES_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts role names to lowercase when creating local roles. If set to |
POSTGRES_USER_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how user name conversions are performed. The following options are valid:
This setting applies only if |
POSTGRES_GROUP_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how group name conversions are performed. The following options are valid:
This setting applies only if |
POSTGRES_ROLE_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how role name conversions are performed. The following options are valid:
This setting applies only if |
POSTGRES_CREATE_USER |
boolean |
true
|
No | Specifies whether PolicySync creates local users for each user in Privacera. |
POSTGRES_CREATE_USER_ROLE |
boolean |
true
|
No | Specifies whether PolicySync creates local roles for each user in Privacera. |
POSTGRES_MANAGE_USERS |
boolean |
true
|
No | Specifies whether PolicySync maintains user membership in roles in the PostgreSQL data source. |
POSTGRES_MANAGE_GROUPS |
boolean |
true
|
No | Specifies whether PolicySync creates groups from Privacera in the PostgreSQL data source. |
POSTGRES_MANAGE_ROLES |
boolean |
true
|
No | Specifies whether PolicySync creates roles from Privacera in the PostgreSQL data source. |
POSTGRES_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
POSTGRES_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
POSTGRES_MANAGE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names for which PolicySync manages access control. If unset, access control is managed for all roles. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
POSTGRES_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
POSTGRES_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
POSTGRES_IGNORE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all roles are subject to access control. This setting supersedes any values specified by |
POSTGRES_USER_ROLE_PREFIX |
string |
priv_user_
|
No | Specifies the prefix that PolicySync uses when creating local users. For example, if you have a user named |
POSTGRES_GROUP_ROLE_PREFIX |
string |
priv_group_
|
No | Specifies the prefix that PolicySync uses when creating local roles. For example, if you have a group named |
POSTGRES_ROLE_ROLE_PREFIX |
string |
priv_role_
|
No | Specifies the prefix that PolicySync uses when creating roles from Privacera in the PostgreSQL data source. For example, if you have a role in Privacera named |
POSTGRES_USE_NATIVE_PUBLIC_GROUP |
boolean |
true
|
No | Specifies whether PolicySync uses the PostgreSQL native public group for access grants whenever a policy refers to a public group. The default value is true. |
POSTGRES_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
POSTGRES_MANAGE_USER_FILTERBY_ROLE |
boolean |
false
|
No | Specifies whether to manage only users that are members of the roles specified by |
Access control management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_POLICY_NAME_SEPARATOR |
string |
_priv_
|
No | Specifies a string to use as part of the name of native row filter and masking policies. |
POSTGRES_ROW_FILTER_POLICY_NAME_TEMPLATE |
string |
{database}{separator}{schema}{separator}{table}
|
No | Specifies a template for the name that PolicySync uses when creating a row filter policy. For example, given a table |
POSTGRES_ENABLE_ROW_FILTER |
boolean |
false
|
No | Specifies whether to use the data source native row filter functionality. This setting is disabled by default. When enabled, you can create row filters only on tables, but not on views. |
POSTGRES_ENABLE_VIEW_BASED_MASKING |
boolean |
true
|
No | Specifies whether to use secure view based masking. The default value is Because PolicySync does not support native masking for PostgreSQL, enabling this setting is recommended. |
POSTGRES_ENABLE_VIEW_BASED_ROW_FILTER |
boolean |
true
|
No | Specifies whether to use secure view based row filtering. The default value is While PostgreSQL supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended. |
POSTGRES_SECURE_VIEW_CREATE_FOR_ALL |
boolean |
true
|
No | Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled. |
POSTGRES_MASKED_NUMBER_VALUE |
integer |
0
|
No | Specifies the default masking value for numeric column types. |
POSTGRES_MASKED_TEXT_VALUE |
string |
<MASKED>
|
No | Specifies the default masking value for text and string column types. |
POSTGRES_SECURE_VIEW_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
POSTGRES_SECURE_VIEW_NAME_POSTFIX |
string |
_secure
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
POSTGRES_SECURE_VIEW_SCHEMA_NAME_PREFIX |
string |
|
No | Specifies a prefix string to apply to a secure schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
POSTGRES_SECURE_VIEW_SCHEMA_NAME_POSTFIX |
string |
|
No | Specifies a postfix string to apply to a secure view schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
POSTGRES_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a table or view name. For example, if the table is named You can specify a single suffix or a comma separated list of suffixes. |
POSTGRES_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a schema name. For example, if a schema is named You can specify a single suffix or a comma separated list of suffixes. |
POSTGRES_GRANT_UPDATES |
boolean |
true
|
No | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
POSTGRES_GRANT_UPDATES_MAX_RETRY_ATTEMPTS |
integer |
2
|
No | Specifies the maximum number of attempts that PolicySync makes to execute a grant query if it is unable to do so successfully. The default value is |
POSTGRES_ENABLE_DATA_ADMIN |
boolean |
true
|
No | This property is used to enable the data admin feature. With this feature enabled you can create all the policies on native tables/views, and respective grants will be made on the secure views of those native tables/views. These secure views will have row filter and masking capability. In case you need to grant permission on the native tables/views then you can select the permission you want plus data admin in the policy. Then those permissions will be granted on both the native table/view as well as its secure view. |
Access audits management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_AUDIT_ENABLE |
boolean |
false
|
Yes | Specifies whether Privacera fetches access audit data from the data source. |
POSTGRES_AUDIT_EXCLUDED_USERS |
string |
POSTGRES_JDBC_USERNAME
|
No | Specifies a comma separated list of users to exclude when fetching access audits. For example: |
POSTGRES_AUDIT_SOURCE |
string |
sqs
|
No | Specifies the source for audit information. The following values are supported:
The default value is: |
AWS SQS Postgres audit properties
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_AWS_ACCESS_KEY |
string |
|
No | Specifies the Amazon Web Services (AWS) access key that PolicySync uses to create an IAM client role to access the SQS queue to retrieve access audit information. Specify this only if your deployment machine lacks an IAM role with the necessary permissions. |
POSTGRES_AWS_SECRET_KEY |
string |
|
No | Specifies the Amazon Web Services (AWS) secret key that PolicySync uses to create an IAM client role to access the SQS queue to retrieve access audit information. Specify this only if your deployment machine lacks an IAM role with the necessary permissions. |
POSTGRES_AWS_REGION |
string |
POSTGRES_AUDIT_SQS_QUEUE_REGION
|
No | Specifies the Amazon Web Services (AWS) SQS queue region. |
POSTGRES_AUDIT_SQS_QUEUE_REGION |
string |
us-east-1
|
No | Specifies the Amazon Web Services (AWS) SQS queue region. |
POSTGRES_AWS_SQS_QUEUE_ENDPOINT |
string |
|
No | Specifies the SQS endpoint URL on Amazon Web Services (AWS). You must specify this value if you use a private VPC in your AWS account that is not available on the Internet. |
POSTGRES_AWS_SQS_QUEUE_NAME |
string |
POSTGRES_AUDIT_SQS_QUEUE_NAME
|
No | Specifies the Amazon Web Services (AWS) SQS queue name that PolicySync uses to retrieve access audit information. |
POSTGRES_AWS_SQS_QUEUE_MAX_POLL_MESSAGES |
integer |
100
|
No | Specifies the number of messages to retrieve from the SQS queue at one time for audit information. |
GCP PostgreSQL audit properties
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POSTGRES_GCP_AUDIT_SOURCE_INSTANCE_ID |
string |
|
No | Specifies the Google Cloud Platform SQL instance ID for the PostgreSQL server. PolicySync uses this instance ID for retrieving access audit information. The instance ID must be provided in the following formation: |
POSTGRES_OAUTH_PRIVATE_KEY_FILE_NAME |
string |
policysync-postgres-gcp-audit-service-account.json
|
No | Specifies the name of the JSON file that contains your service account credentials. This setting applies only to PostgreSQL on Google Cloud Platform. |
Redshift Connector
JDBC configuration
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
REDSHIFT_JDBC_URL |
string |
|
Yes | Specifies the JDBC URL for the Amazon Redshift connector. |
REDSHIFT_JDBC_USERNAME |
string |
|
Yes | Specifies the JDBC username to use. For PolicySync to push policies to Amazon Redshift, this user must have superuser privileges. |
REDSHIFT_JDBC_PASSWORD |
string |
|
Yes | Specifies the JDBC password to use. |
REDSHIFT_JDBC_DB |
string |
|
Yes | Specifies the name of the JDBC database to use. PolicySync also uses the connection to this database to load metadata and create principals such as users and groups. |
REDSHIFT_DEFAULT_USER_PASSWORD |
string |
|
Yes | Specifies the password to use when PolicySync creates new users. The password must meet the following requirements:
|
REDSHIFT_OWNER_ROLE |
string |
|
No | Specifies the role that owns the resources managed by PolicySync. You must ensure that this user exists as PolicySync does not create this user.
The following resource types are supported:
|
Load keys and intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
REDSHIFT_LOAD_RESOURCES_KEY |
string |
load_from_database_columns
|
No | Specifies how PolicySync loads resources from Amazon Redshift. The following values are allowed:
|
REDSHIFT_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
REDSHIFT_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
REDSHIFT_PERMISSION_SYNC_INTERVAL |
integer |
540
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
REDSHIFT_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
REDSHIFT_MANAGE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names for which PolicySync manages access control. If unset, access control is managed for all databases. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of databases might resemble the following: If specified, |
REDSHIFT_MANAGE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a schema:
If specified, If you specify a wildcard, such as in the following example, all schemas are managed:
The specified value, if any, is interpreted in the following ways:
|
REDSHIFT_MANAGE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a table: If specified, If you specify a wildcard, such as in the following example, all matched tables are managed:
The specified value, if any, is interpreted in the following ways:
|
REDSHIFT_IGNORE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all databases are subject to access control. For example: This setting supersedes any values specified by |
REDSHIFT_IGNORE_SCHEMA_LIST |
string |
|
No | Specifies a comma-separated list of schema names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all schemas are subject to access control. For example: This setting supersedes any values specified by |
REDSHIFT_IGNORE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Specify tables using the following format: This setting supersedes any values specified by |
Users/Groups/Roles management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
REDSHIFT_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
REDSHIFT_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
REDSHIFT_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a role name and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
REDSHIFT_ROLE_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether Amazon Redshift supports case sensitivity for users. Because case sensitivity in Amazon Redshift is global, enabling this enables case sensitivity for users, groups, roles, and resources. |
REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether Amazon Redshift supports case sensitivity for groups. Because case sensitivity in Amazon Redshift is global, enabling this enables case sensitivity for users, groups, roles, and resources. |
REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether Amazon Redshift supports case sensitivity for roles. Because case sensitivity in Amazon Redshift is global, enabling this enables case sensitivity for users, groups, roles, and resources. |
REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER |
boolean |
false
|
No | Specifies whether Amazon Redshift preserves case for user, group, role, and resource names. By default, Amazon Redshift converts all user, group, role, and resource names to lowercase. If set to |
REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER_QUERY |
string |
SET enable_case_sensitive_identifier=true;
|
No | Specifies a query for Amazon Redshift that enables case sensitivity per connection. If you enable |
REDSHIFT_USER_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how user name conversions are performed. The following options are valid:
This setting applies only if |
REDSHIFT_GROUP_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how group name conversions are performed. The following options are valid:
This setting applies only if |
REDSHIFT_ROLE_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how role name conversions are performed. The following options are valid:
This setting applies only if |
REDSHIFT_CREATE_USER |
boolean |
true
|
No | Specifies whether PolicySync creates local users for each user in Privacera. |
REDSHIFT_CREATE_USER_ROLE |
boolean |
true
|
No | Specifies whether PolicySync creates local roles for each user in Privacera. |
REDSHIFT_MANAGE_USERS |
boolean |
true
|
No | Specifies whether PolicySync maintains user membership in roles in the Amazon Redshift data source. |
REDSHIFT_MANAGE_GROUPS |
boolean |
true
|
No | Specifies whether PolicySync creates groups from Privacera in the Amazon Redshift data source. |
REDSHIFT_MANAGE_ROLES |
boolean |
true
|
No | Specifies whether PolicySync creates roles from Privacera in the Amazon Redshift data source. |
REDSHIFT_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
REDSHIFT_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
REDSHIFT_MANAGE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names for which PolicySync manages access control. If unset, access control is managed for all roles. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
REDSHIFT_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
REDSHIFT_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
REDSHIFT_IGNORE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all roles are subject to access control. This setting supersedes any values specified by |
REDSHIFT_USER_ROLE_PREFIX |
string |
priv_user_
|
No | Specifies the prefix that PolicySync uses when creating local users. For example, if you have a user named |
REDSHIFT_GROUP_ROLE_PREFIX |
string |
priv_group_
|
No | Specifies the prefix that PolicySync uses when creating local roles. For example, if you have a group named |
REDSHIFT_ROLE_ROLE_PREFIX |
string |
priv_role_
|
No | Specifies the prefix that PolicySync uses when creating roles from Privacera in the Amazon Redshift data source. For example, if you have a role in Privacera named |
REDSHIFT_USE_NATIVE_PUBLIC_GROUP |
boolean |
true
|
No | Specifies whether PolicySync uses the Amazon Redshift native public group for access grants whenever a policy refers to a public group. The default value is true. |
REDSHIFT_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
REDSHIFT_MANAGE_USER_FILTERBY_ROLE |
boolean |
false
|
No | Specifies whether to manage only users that are members of the roles specified by |
Access control management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
REDSHIFT_ENABLE_VIEW_BASED_MASKING |
boolean |
true
|
No | Specifies whether to use secure view based masking. The default value is |
REDSHIFT_ENABLE_VIEW_BASED_ROW_FILTER |
boolean |
true
|
No | Specifies whether to use secure view based row filtering. The default value is While Amazon Redshift supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended. |
REDSHIFT_SECURE_VIEW_CREATE_FOR_ALL |
boolean |
true
|
No | Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled. |
REDSHIFT_MASKED_NUMBER_VALUE |
integer |
0
|
No | Specifies the default masking value for numeric column types. |
REDSHIFT_MASKED_TEXT_VALUE |
string |
<MASKED>
|
No | Specifies the default masking value for text and string column types. |
REDSHIFT_SECURE_VIEW_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
REDSHIFT_SECURE_VIEW_NAME_POSTFIX |
string |
_secure
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX |
string |
|
No | Specifies a prefix string to apply to a secure schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX |
string |
|
No | Specifies a postfix string to apply to a secure view schema name. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
REDSHIFT_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a table or view name. For example, if the table is named You can specify a single suffix or a comma separated list of suffixes. |
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a schema name. For example, if a schema is named You can specify a single suffix or a comma separated list of suffixes. |
REDSHIFT_GRANT_UPDATES |
boolean |
false
|
No | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
REDSHIFT_GRANT_UPDATES_MAX_RETRY_ATTEMPTS |
integer |
2
|
No | Specifies the maximum number of attempts that PolicySync makes to execute a grant query if it is unable to do so successfully. The default value is |
REDSHIFT_ENABLE_DATA_ADMIN |
boolean |
true
|
No | This property is used to enable the data admin feature. With this feature enabled you can create all the policies on native tables/views, and respective grants will be made on the secure views of those native tables/views. These secure views will have row filter and masking capability. In case you need to grant permission on the native tables/views then you can select the permission you want plus data admin in the policy. Then those permissions will be granted on both the native table/view as well as its secure view. |
Access audits management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
REDSHIFT_AUDIT_ENABLE |
boolean |
false
|
No | Specifies whether Privacera fetches access audit data from the data source. |
REDSHIFT_AUDIT_EXCLUDED_USERS |
string |
REDSHIFT_JDBC_USERNAME
|
No | Specifies a comma separated list of users to exclude when fetching access audits. For example: |
REDSHIFT_AUDIT_INITIAL_PULL_MINUTES |
integer |
30
|
No | Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Amazon Redshift. |
Databricks SQL
JDBC configuration properties
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
DATABRICKS_SQL_ANALYTICS_JDBC_URL |
string |
|
Yes | Specifies the JDBC URL for the Databricks SQL connector. Use the following format for the JDBC URL: The workspace URL and the database name are derived from your Databricks SQL configuration. |
DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME |
string |
|
Yes | Specifies the JDBC username to use. |
DATABRICKS_SQL_ANALYTICS_JDBC_PASSWORD |
string |
|
Yes | Specifies the access token of the SQL endpoint to use. |
DATABRICKS_SQL_ANALYTICS_JDBC_DB |
string |
|
Yes | Specifies the name of the JDBC database to use. |
DATABRICKS_SQL_ANALYTICS_OWNER_ROLE |
string |
|
No | Specifies the role that owns the resources managed by PolicySync. You must ensure that this user exists as PolicySync does not create this user.
The following resource types are supported:
|
DATABRICKS_SQL_ANALYTICS_HOST_URL |
string |
|
Yes | Specifies the base URL for the Databricks SQL instance. |
Load keys and intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
DATABRICKS_SQL_ANALYTICS_LOAD_RESOURCES_KEY |
string |
load_like
|
No | Specifies how PolicySync loads resources from Databricks SQL. The following values are allowed:
|
DATABRICKS_SQL_ANALYTICS_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
DATABRICKS_SQL_ANALYTICS_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
DATABRICKS_SQL_ANALYTICS_PERMISSION_SYNC_INTERVAL |
integer |
540
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
DATABRICKS_SQL_ANALYTICS_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names for which PolicySync manages access control. If unset, access control is managed for all databases. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of databases might resemble the following: If specified, |
DATABRICKS_SQL_ANALYTICS_MANAGE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. Use the following format when specifying a table: If specified, If you specify a wildcard, such as in the following example, all matched tables are managed:
The specified value, if any, is interpreted in the following ways:
|
DATABRICKS_SQL_ANALYTICS_IGNORE_DATABASE_LIST |
string |
|
No | Specifies a comma-separated list of database names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all databases are subject to access control. For example: This setting supersedes any values specified by |
DATABRICKS_SQL_ANALYTICS_IGNORE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Specify tables using the following format: This setting supersedes any values specified by |
Users/Groups/Roles management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
DATABRICKS_SQL_ANALYTICS_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a user name and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a role name and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts user names to lowercase when creating local users. If set to |
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to |
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts role names to lowercase when creating local roles. If set to |
DATABRICKS_SQL_ANALYTICS_USER_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how user name conversions are performed. The following options are valid:
This setting applies only if |
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how group name conversions are performed. The following options are valid:
This setting applies only if |
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_CASE_CONVERSION |
string |
lower
|
No | Specifies how role name conversions are performed. The following options are valid:
This setting applies only if |
DATABRICKS_SQL_ANALYTICS_CREATE_USER |
boolean |
true
|
No | Specifies whether PolicySync creates local users for each user in Privacera. |
DATABRICKS_SQL_ANALYTICS_MANAGE_USERS |
boolean |
true
|
No | Specifies whether PolicySync maintains user membership in roles in the Databricks SQL data source. |
DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS |
boolean |
true
|
No | Specifies whether PolicySync creates groups from Privacera in the Databricks SQL data source. |
DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES |
boolean |
true
|
No | Specifies whether PolicySync creates roles from Privacera in the Databricks SQL data source. |
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names for which PolicySync manages access control. If unset, access control is managed for all roles. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST |
string |
|
No | Specifies a comma-separated list of role names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all roles are subject to access control. This setting supersedes any values specified by |
DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX |
string |
priv_group_
|
No | Specifies the prefix that PolicySync uses when creating local roles. For example, if you have a group named |
DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX |
string |
priv_role_
|
No | Specifies the prefix that PolicySync uses when creating roles from Privacera in the Databricks SQL data source. For example, if you have a role in Privacera named |
DATABRICKS_SQL_ANALYTICS_USE_NATIVE_PUBLIC_GROUP |
boolean |
true
|
No | Specifies whether PolicySync uses the Databricks SQL native public group for access grants whenever a policy refers to a public group. The default value is true. |
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_ROLE |
boolean |
false
|
No | Specifies whether to manage only users that are members of the roles specified by |
DATABRICKS_SQL_ANALYTICS_USER_USE_EMAIL_AS_SERVICE_NAME |
boolean |
true
|
No | This Property is used to map the username to the email address when granting/revoking access. |
Access control management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING |
boolean |
true
|
No | Specifies whether to use secure view based masking. The default value is |
DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER |
boolean |
true
|
No | Specifies whether to use secure view based row filtering. The default value is While Databricks SQL supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended. |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_CREATE_FOR_ALL |
boolean |
true
|
No | Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled. |
DATABRICKS_SQL_ANALYTICS_MASKED_NUMBER_VALUE |
integer |
0
|
No | Specifies the default masking value for numeric column types. |
DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE |
string |
<MASKED>
|
No | Specifies the default masking value for text and string column types. |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix, specify a value for this setting. For example, if the prefix is |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_POSTFIX |
string |
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name postfix, specify a value for this setting. For example, if the postfix is |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same name as the table database name. For example, if the prefix is |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_POSTFIX |
string |
_secure
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same name as the table database name. For example, if the postfix is |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a table or view name. For example, if the table is named You can specify a single suffix or a comma separated list of suffixes. |
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a database name. For example, if the database is named You can specify a single suffix or a comma separated list of suffixes. |
DATABRICKS_SQL_ANALYTICS_GRANT_UPDATES |
boolean |
true
|
Yes | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
DATABRICKS_SQL_ANALYTICS_ENABLE_DATA_ADMIN |
boolean |
true
|
No | This property is used to enable the data admin feature. With this feature enabled you can create all the policies on native tables/views, and respective grants will be made on the secure views of those native tables/views. These secure views will have row filter and masking capability. In case you need to grant permission on the native tables/views then you can select the permission you want plus data admin in the policy. Then those permissions will be granted on both the native table/view as well as its secure view. |
DATABRICKS_SQL_ANALYTICS_USE_HIVE_ACCESS_POLICIES |
boolean |
false
|
No | Uncomment and set this property to true to use the |
Access audits management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
DATABRICKS_SQL_ANALYTICS_AUDIT_ENABLE |
boolean |
true
|
Yes | Specifies whether Privacera fetches access audit data from the data source. |
DATABRICKS_SQL_ANALYTICS_AUDIT_INITIAL_PULL_MINUTES |
integer |
30
|
No | Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Databricks SQL. |
DATABRICKS_SQL_ANALYTICS_AUDIT_EXCLUDED_USERS |
string |
{{DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME}}
|
No | Specifies a comma separated list of users to exclude when fetching access audits. For example: |
Google BigQuery Connector
JDBC configuration properties
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_PROJECT_LOCATION |
string |
us
|
Yes | Specifies the geographical region where the taxonomy for the PolicySync should be created. |
BIGQUERY_PROJECT_ID |
string |
|
Yes | Specifies the Google project ID where your Google BigQuery data source resides. For example: |
BIGQUERY_JDBC_URL |
string |
jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443
|
No | Specifies the JDBC URL for the Google BigQuery connector. |
BIGQUERY_USE_VM_CREDENTIALS |
boolean |
false
|
No | Specifies whether the PolicySync uses the service account attached to your virtual machine for the credentials to connect to the data source. When set to |
BIGQUERY_OAUTH_SERVICE_ACCOUNT_EMAIL |
string |
|
Yes | Specifies the service account email address that PolicySync uses. You must specify this value if you are not using a Google Cloud Platform (GCP) virtual machine attached service account. |
BIGQUERY_OAUTH_PRIVATE_KEY_PATH |
string |
/workdir/policysync/cust_conf/policysync-gbq-service-account.json
|
Yes | Specifies the path of the service account credentials JSON file that you downloaded from your Google Cloud Platform (GCP) account. You must specify this property if |
BIGQUERY_OAUTH_PRIVATE_KEY_FILE_NAME |
string |
|
Yes | Specifies the name of the JSON file that contains your Google Cloud Platform service account credentials. If specified, this value is combined with |
Custom IAM roles
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_CREATE_CUSTOM_IAM_ROLES |
boolean |
true
|
No | Specifies whether PolicySync automatically creates custom IAM roles in your Google Cloud Platform project or organization for fine-grained access control (FGAC). If set to |
BIGQUERY_CUSTOM_IAM_ROLES_SCOPE |
string |
project
|
No | Specifies whether PolicySync creates and uses custom IAM roles at the project or organizational level in Google Cloud Platform (GCP). The following values are allowed:
|
BIGQUERY_ORGANIZATION_ID |
string |
|
No | Specifies the Google Cloud Platform (GCP) organizational ID. Specify this only if you configured PolicySync to use custom IAM roles at the organizational level. |
BIGQUERY_CUSTOM_IAM_ROLES_NAME_MAPPING |
string |
|
No | Specifies a list of mappings between PolicySync custom IAM role names and your custom role names. Use the following format when specifying your custom role names: The following is a list of the default custom role names:
|
Load keys and intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_LOAD_RESOURCES_KEY |
string |
load_from_dataset_columns
|
No | Specifies how PolicySync loads resources from Google BigQuery. The following values are allowed:
|
BIGQUERY_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
BIGQUERY_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
BIGQUERY_PERMISSION_SYNC_INTERVAL |
integer |
540
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
BIGQUERY_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_MANAGE_PROJECT_LIST |
string |
|
Yes | Specifies a comma-separated list of project names to which access control is managed by PolicySync. If unset, PolicySync manages all projects. If specified, use the following format. You can use wildcards. The list of projects to ignore takes precedence over any projects specified by this setting. An example list of projects might resemble the following: |
BIGQUERY_MANAGE_DATASET_LIST |
string |
|
Yes | Specifies a list of comma-separated datasets that PolicySync manages access control to. You can use wildcards in the value. If you want to manage all datasets, do not set a value. For example: You can configure the postfix by specifying If specified, the |
BIGQUERY_MANAGE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names for which PolicySync manages access control. You can use wildcards. Use the following format when specifying a table: If specified, If you specify a wildcard, such as in the following example, all matched tables are managed:
The specified value, if any, is interpreted in the following ways:
|
BIGQUERY_IGNORE_PROJECT_LIST |
string |
|
No | Specifies a comma-separated list of project names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all projects are subject to access control. For example: This setting supersedes any values specified by |
BIGQUERY_IGNORE_DATASET_LIST |
string |
|
No | Specifies a comma-separated list of dataset names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all datasets are subject to access control. For example: This setting supersedes any values specified by |
BIGQUERY_IGNORE_TABLE_LIST |
string |
|
No | Specifies a comma-separated list of table names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all tables are subject to access control. Specify tables using the following format: This setting supersedes any values specified by |
Users, groups, and roles management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
BIGQUERY_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
BIGQUERY_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
BIGQUERY_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
BIGQUERY_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
BIGQUERY_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
BIGQUERY_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
BIGQUERY_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
BIGQUERY_NATIVE_PUBLIC_GROUP_IDENTITY_NAME |
string |
|
Yes | Set this property to your preferred value, policysync uses this native public group for access grants whenever there is policy created referring to public group inside it. The following values are allowed:
|
BIGQUERY_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
Access control management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_COLUMN_ACCESS_CONTROL_TYPE |
string |
view
|
No | Specifies how PolicySync manages column-level access control. The following values are allowed:
|
BIGQUERY_POLICY_NAME_SEPARATOR |
string |
_
|
No | Specifies a string to use as part of the name of native row filter and masking policies. |
BIGQUERY_ROW_FILTER_POLICY_NAME_TEMPLATE |
string |
row_filter_item_
|
No | Specifies a template for the name that PolicySync uses when creating a row filter policy. For example, given a table |
BIGQUERY_ENABLE_ROW_FILTER |
boolean |
false
|
No | Specifies whether to use the data source native row filter functionality. This setting is disabled by default. When enabled, you can create row filters only on tables, but not on views. |
BIGQUERY_ENABLE_VIEW_BASED_MASKING |
boolean |
true
|
No | Specifies whether to use secure view based masking. The default value is |
BIGQUERY_ENABLE_VIEW_BASED_ROW_FILTER |
boolean |
true
|
No | Specifies whether to use secure view based row filtering. The default value is While Google BigQuery supports native filtering, PolicySync provides additional functionality that is not available natively. Enabling this setting is recommended. |
BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL |
boolean |
true
|
No | Specifies whether to create secure views for all tables and views that are created by users. If enabled, PolicySync creates secure views for resources regardless of whether masking or filtering policies are enabled. |
Access audits management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
BIGQUERY_MASKING_FUNCTIONS_DATASET |
string |
privacera_dataset
|
No | Specifies the name of the dataset where PolicySync creates custom masking functions. |
BIGQUERY_MASKED_NUMBER_VALUE |
integer |
0
|
No | Specifies the masking value used for numeric data types. |
BIGQUERY_MASKED_TEXT_VALUE |
string |
<MASKED>
|
No | Specifies the masking value used for text or string data types. |
BIGQUERY_SECURE_VIEW_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same dataset name as the table dataset name. If you want to change the secure view dataset name prefix, specify a value for this setting. For example, if the prefix is |
BIGQUERY_SECURE_VIEW_NAME_POSTFIX |
string |
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same dataset name as the table dataset name. If you want to change the secure view dataset name postfix, specify a value for this setting. For example, if the postfix is |
BIGQUERY_SECURE_VIEW_DATASET_NAME_PREFIX |
string |
|
No | Specifies a prefix string for secure views. By default view-based row filter and masking-related secure views have the same dataset name as the table dataset name. If you want to change the secure view dataset name prefix, specify a value for this setting. For example, if the prefix is |
BIGQUERY_SECURE_VIEW_DATASET_NAME_POSTFIX |
string |
_secure
|
No | Specifies a postfix string for secure views. By default view-based row filter and masking-related secure views have the same dataset name as the table dataset name. If you want to change the secure view dataset name postfix, specify a value for this setting. For example, if the postfix is |
BIGQUERY_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a table or view name. For example, if the table is named You can specify a single suffix or a comma separated list of suffixes. |
BIGQUERY_SECURE_VIEW_DATASET_NAME_REMOVE_SUFFIX_LIST |
string |
|
No | Specifies a suffix to remove from a secure view dataset name. For example, if the dataset is named You can specify a single suffix or a comma separated list of suffixes, such as |
BIGQUERY_AUTHORIZED_VIEW_ACL_UPDATER_INTERVAL |
integer |
10
|
No | Specifies the interval at which the authorized view ACLs updater thread updates the permissions in the dataset if any permission updates are pending. |
BIGQUERY_GRANT_UPDATES |
boolean |
true
|
Yes | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
BIGQUERY_GRANT_UPDATES_MAX_RETRY_ATTEMPTS |
integer |
2
|
No | Specifies the maximum number of attempts that PolicySync makes to execute a grant query if it is unable to do so successfully. The default value is |
BIGQUERY_GRANT_UPDATES_BATCH |
boolean |
true
|
No | Specifies whether PolicySync applies grants and revokes in batches. If enabled, this behavior improves overall performance of applying permission changes. |
BIGQUERY_ENABLE_DATA_ADMIN |
boolean |
true
|
No | This property is used to enable the data admin feature. With this feature enabled you can create all the policies on native tables/views, and respective grants will be made on the secure views of those native tables/views. These secure views will have row filter and masking capability. In case you need to grant permission on the native tables/views then you can select the permission you want plus data admin in the policy. Then those permissions will be granted on both the native table/view as well as its secure view. |
BIGQUERY_AUDIT_ENABLE |
boolean |
false
|
Yes | Specifies whether Privacera fetches access audit data from the data source. |
BIGQUERY_AUDIT_EXCLUDED_USERS |
string |
No | Specifies a comma separated list of users to exclude when fetching access audits. For example: |
|
BIGQUERY_AUDIT_PROJECT_ID |
string |
|
No | Specifies the project ID where Google BigQuery stores audit log data. |
BIGQUERY_AUDIT_DATASET_NAME |
string |
|
No | Specifies the name of the dataset where Google BigQuery logs audit data. Privacera uses this data for running audit queries. |
BIGQUERY_AUDIT_LOAD_MAX_INTERVAL_MINUTES |
integer |
30
|
No | Specifies the maximum interval, in minutes, for queries that retrieve access audit information to run. |
Power BI Connector
Connection configuration related properties
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POWER_BI_USERNAME |
string |
|
Yes | Specifies the authentication username. If you do not specify this value, you must specify a secret for |
POWER_BI_PASSWORD |
string |
|
Yes | Specifies the authentication password. If you do not specify this value, you must specify a secret for |
POWER_BI_TENANT_ID |
string |
|
Yes | Specifies the tenant ID associated with your Microsoft Azure account. |
POWER_BI_CLIENT_ID |
string |
|
Yes | Specifies the principal ID for authentication. |
POWER_BI_CLIENT_SECRET |
string |
|
Yes | Specifies a client secret for authentication. If you do not specify this value, you must specify both |
Load keys and intervals
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POWER_BI_RESOURCE_SYNC_INTERVAL |
integer |
60
|
No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
POWER_BI_PRINCIPAL_SYNC_INTERVAL |
integer |
420
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
POWER_BI_PERMISSION_SYNC_INTERVAL |
integer |
540
|
No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
POWER_BI_AUDIT_SYNC_INTERVAL |
integer |
30
|
No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POWER_BI_MANAGE_WORKSPACE_LIST |
string |
|
No | Specifies a comma-separated list of workspace names for which PolicySync manages access control. If unset, access control is managed for all workspaces. If specified, use the following format. You can use wildcards. An example list of workspaces might resemble the following: If specified, |
POWER_BI_IGNORE_WORKSPACE_LIST |
string |
|
No | Specifies a comma-separated list of workspace names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all workspaces are subject to access control. This setting supersedes any values specified by |
Users/Groups/Roles management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POWER_BI_USER_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
POWER_BI_USER_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
POWER_BI_GROUP_NAME_REPLACE_FROM_REGEX |
string |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
|
No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
POWER_BI_GROUP_NAME_REPLACE_TO_STRING |
string |
_
|
No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
POWER_BI_USER_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts user names to lowercase when creating local users. If set to |
POWER_BI_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
boolean |
false
|
No | Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to |
POWER_BI_MANAGE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: |
POWER_BI_MANAGE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, |
POWER_BI_IGNORE_USER_LIST |
string |
|
No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all users are subject to access control. This setting supersedes any values specified by |
POWER_BI_IGNORE_GROUP_LIST |
string |
|
No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. If not specified, all groups are subject to access control. This setting supersedes any values specified by |
POWER_BI_USER_FILTER_WITH_EMAIL |
boolean |
false
|
No | Set this property to true if you only want to manage users who have an email address associated with them in the portal. |
POWER_BI_MANAGE_USER_FILTERBY_GROUP |
boolean |
false
|
No | Specifies whether to manage only the users that are members of groups specified by |
Access control management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POWER_BI_GRANT_UPDATES |
boolean |
true
|
No | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
Access audits management
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
POWER_BI_AUDIT_ENABLE |
boolean |
false
|
Yes | Specifies whether Privacera fetches access audit data from the data source. |
POWER_BI_AUDIT_INITIAL_PULL_MINUTES |
integer |
30
|
No | Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Microsoft Power BI. |