Skip to content

PolicySync#

The following table contains the list of custom properties that can be configured for PolicySync connectors. To use a custom property from the table, just add it to the following YML file in the custom-vars folder configured as per your environment:

  • vars.policysync.snowflake.yml
  • vars.policysync.postgres.yml
  • vars.policysync.mssql.yml
  • vars.policysync.redshift.yml
  • vars.policysync.databricks.sql.analytics.yml
Property Description Values Values
POLICYSYNC_IMAGE_NAME
POLICYSYNC_IMAGE_TAG
POLICYSYNC_ENABLE true, false false

Common#

Property Description Values Default Value

POLICYSYNC_USERLOADER_RANGER_PERSIST_CASE_SENSITIVITY

Note: Use this property with the old PolicySync properties.

After loading user/group/roles from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

true, false

false

POLICYSYNC_V2_USERLOADER_RANGER_PERSIST_CASE_SENSITIVITY

Note: Use this property with the new PolicySync properties.

After loading user/group/roles from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

true, false

false

Memory Variables
POLICYSYNC_HEAP_MIN_MEMORY_MB Minimum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MIN_MEMORY_MB: "1024"
POLICYSYNC_HEAP_MIN_MEMORY Minimum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MIN_MEMORY_MB. For example, POLICYSYNC_HEAP_MIN_MEMORY: "1g"
POLICYSYNC_HEAP_MAX_MEMORY_MB Maximum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MAX_MEMORY_MB: "1024"
POLICYSYNC_HEAP_MAX_MEMORY Maximum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MAX_MEMORY_MB. For example, POLICYSYNC_HEAP_MAX_MEMORY: "1g"
POLICYSYNC_K8S_MEM_REQUESTS_MB Minimum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_REQUESTS_MB: "1024"
POLICYSYNC_K8S_MEM_REQUESTS Minimum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_REQUESTS_MB. For example, POLICYSYNC_K8S_MEM_REQUESTS: "1G"
POLICYSYNC_K8S_MEM_LIMITS_MB Maximum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_LIMITS_MB: "1024"
POLICYSYNC_K8S_MEM_LIMITS Maximum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_LIMITS_MB. For example, POLICYSYNC_K8S_MEM_LIMITS: "1G"
POLICYSYNC_CPU_MIN Minimum amount of Kubernetes CPU to be requested by PolicySync. For example, POLICYSYNC_CPU_MIN: "0.5"
POLICYSYNC_CPU_MAX Maximum amount of Kubernetes CPU to be used by PolicySync. For example, POLICYSYNC_CPU_MAX: "0.5"

Connectors Global Properties#

Snowflake Connector#

Property Description Values Default Value
SNOWFLAKE_ENABLE      
SNOWFLAKE_SERVICE_TYPE      
SNOWFLAKE_CONNECTOR_NAME      
SNOWFLAKE_MANAGE_ENV_PREFIX      
SNOWFLAKE_MANAGE_WAREHOUSE_LIST      
SNOWFLAKE_MANAGE_DATABASE_LIST Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.
customer,sales  
SNOWFLAKE_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
SNOWFLAKE_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
SNOWFLAKE_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
SNOWFLAKE_IGNORE_ENV_PREFIX      
SNOWFLAKE_IGNORE_WAREHOUSE_LIST      
SNOWFLAKE_IGNORE_DATABASE_LIST

Add the Snowflake databases on which you do not want to apply PolicySync. You can add multiple, comma-separated databases.

By default, DEMO_DB, SNOWFLAKE, UTIL_DB, and SNOWFLAKE_SAMPLE_DATA are the databases that have been ignored. It is recommonded not to remove them from the property, when adding new databases to the list.

Note: Acces-conntrol is not be applied on the databases that have been imported into Snowflake from a different source. It is recommended to add the imported databases to the list of databases to be ignored.

The following is an example of the property. Its value contains the default databases, and COVID19_BY_STARSCHEMA database, on which access-policy will not be applied by PolicySync.

SNOWFLAKE_IGNORE_DATABASE_LIST: "DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA,COVID19_BY_STARSCHEMA"

  DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA
SNOWFLAKE_MANAGE_USER_LIST      
SNOWFLAKE_MANAGE_GROUP_LIST      
SNOWFLAKE_MANAGE_ROLE_LIST      
SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP To perform the policysync operations only on the users which are present in the certain specified groups, we need to set this variable value to true. true, false false
SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE To perform the policysync operations only on the users which are present in the certain specified roles, we need to set this variable value to true. true, false false
SNOWFLAKE_IGNORE_USER_LIST      
SNOWFLAKE_IGNORE_GROUP_LIST      
SNOWFLAKE_IGNORE_ROLE_LIST      
SNOWFLAKE_MANAGE_ENTITIES      
SNOWFLAKE_MANAGE_USERS      
SNOWFLAKE_MANAGE_ROLES      
SNOWFLAKE_GRANT_UPDATES      
SNOWFLAKE_ENTITY_ROLE_PREFIX      
SNOWFLAKE_USER_ROLE_PREFIX      
SNOWFLAKE_GROUP_ROLE_PREFIX      
SNOWFLAKE_ROLE_ROLE_PREFIX      
SNOWFLAKE_ENABLE_MASKING      
SNOWFLAKE_MASKING_POLICY_DB      
SNOWFLAKE_MASKING_POLICY_SCHEMA      
SNOWFLAKE_PEG_FUNCTION_DB      
SNOWFLAKE_PEG_FUNCTION_SCHEMA      
SNOWFLAKE_MASKED_NUMBER_VALUE      
SNOWFLAKE_MASKED_DOUBLE_VALUE      
SNOWFLAKE_MASKED_DATE_VALUE      
SNOWFLAKE_MASKED_TEXT_VALUE      
SNOWFLAKE_ENABLE_VIEW_BASED_ROW_FILTER

Some SQL Databases do not have native capability to provide row filters. As an alternative to row filters on tables, you can create a view based on the row filter conditions specified in the Ranger Row Filter policy. And you can query on these secure views.

true, false true
SNOWFLAKE_ENABLE_VIEW_BASED_MASKING

Some SQL Databases do not have native capability to provide masking. As an alternative to masking on tables, you can create a view based on the masking conditions specified in the Ranger Masking policy. And you can query on these secure views.

true, false false
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME

By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property, if you want to keep these secure views in a separate schema by providing schema name in this property.

 

SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_PREFIX

SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME

 

SNOWFLAKE_SECURE_VIEW_NAME_PREFIX

SNOWFLAKE_SECURE_VIEW_NAME_POSTFIX

By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

 
SNOWFLAKE_SECURE_VIEW_CREATE_FOR_ALL

If you want to create secure views regardless of masking/row filter policy that exist in Privacera Ranger, then set this to true

true, false false
SNOWFLAKE_ENABLE_COLUMN_ACCESS_MASKING      
SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION      
SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION_FUNCTION      
SNOWFLAKE_COLUMN_ACCESS_CONTROL_NUMBER_VALUE      
SNOWFLAKE_COLUMN_ACCESS_CONTROL_DOUBLE_VALUE      
SNOWFLAKE_COLUMN_ACCESS_CONTROL_TEXT_VALUE      
SNOWFLAKE_AUDIT_ENABLE      
SNOWFLAKE_ENABLE_AUDIT_SOURCE_SIMPLE      
SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE      
SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE      
SNOWFLAKE_AUDIT_INITIAL_PULL_MINUTES      
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

SNOWFLAKE_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

SNOWFLAKE_CREATE_USER

Set this value to true if you want policysync to create users in the snowflake.

Set value to false when you don’t want policysync to create users in your snowflake account or if they are already created.

true, false

true

SNOWFLAKE_CREATE_USER_ROLE

Set this value to true if you want policysync to create user roles in the snowflake.

Set value to false when you don’t want policysync to create users in your snowflake account.

true, false

true

SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in SNOWFLAKE_USER_NAME_REPLACE_TO_STRING property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property.

If kept blank, no find and replace operation is performed.

 

 

SNOWFLAKE_USER_LOGIN_NAME_USE_EMAIL

Set this property to true when policysync creates users in Snowflake and you want to use the user's email address as a login name.

true, false

false

SNOWFLAKE_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt.

2

MSSQL Connector#

Property Description Values Default Value
MSSQL_ENABLE      
MSSQL_SERVICE_TYPE      
MSSQL_CONNECTOR_NAME      
MSSQL_MASTER_DB      
MSSQL_WAREHOUSE_TO_USE      
MSSQL_LOAD_RESOURCE_FROM_COLUMNS

Set to true if you want to load the resources from MSSQL/Synapse database by using columns list.

Note: This is an experimental and not production-ready.

true, false false
MSSQL_MANAGE_ENV_PREFIX      
MSSQL_MANAGE_DATABASE_LIST Add the database name to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use only single value for MSSQL.
customer  
MSSQL_MANAGE_SCHEMA_LIST Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is kept blank, then all schemas will be managed.
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.
customer.customer_schema1,customer.customer_schema2
or
customer.*
 
MSSQL_MANAGE_TABLE_LIST Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is kept blank, then all tables will be managed.
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.
customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
MSSQL_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
MSSQL_IGNORE_DATABASE_LIST      
MSSQL_MANAGE_USER_LIST      
MSSQL_MANAGE_GROUP_LIST      
MSSQL_MANAGE_GROUP_LIST      
MSSQL_MANAGE_ROLE_LIST      
MSSQL_MANAGE_USER_FILTERBY_GROUP Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST prop only if they are associated with any group specified in MSSQL_MANAGE_GROUP_LIST true, false false
MSSQL_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST prop only if they are associated with any role specified in MSSQL_MANAGE_ROLE_LIST true, false false
MSSQL_IGNORE_USER_LIST      
MSSQL_IGNORE_GROUP_LIST      
MSSQL_IGNORE_ROLE_LIST      
MSSQL_MANAGE_ENTITIES      
MSSQL_MANAGE_USERS      
MSSQL_MANAGE_GROUPS      
MSSQL_MANAGE_ROLES      
MSSQL_USER_LOAD_KEY      
MSSQL_GRANT_UPDATES      
MSSQL_APPLY_WITH_SEPARATE_THREAD      
MSSQL_ENTITY_ROLE_PREFIX      
MSSQL_USER_ROLE_PREFIX      
MSSQL_GROUP_ROLE_PREFIX      
MSSQL_ROLE_ROLE_PREFIX      
MSSQL_ENABLE_ROW_FILTER      
MSSQL_ENABLE_MASKING      
MSSQL_MASKED_NUMBER_VALUE      
MSSQL_MASKED_DOUBLE_VALUE      
MSSQL_MASKED_DATE_VALUE      
MSSQL_MASKED_TEXT_VALUE      
MSSQL_ENABLE_VIEW_BASED_ROW_FILTER      
MSSQL_ENABLE_VIEW_BASED_MASKING      
MSSQL_SECURE_VIEW_SCHEMA_NAME      
MSSQL_SECURE_VIEW_SCHEMA_NAME_PREFIX      
MSSQL_SECURE_VIEW_SCHEMA_NAME_POSTFIX      
MSSQL_SECURE_VIEW_NAME_PREFIX      
MSSQL_SECURE_VIEW_NAME_POSTFIX      
MSSQL_SECURE_VIEW_CREATE_FOR_ALL      
MSSQL_AUDIT_ENABLE      
MSSQL_AUDIT_LOAD_KEY      
MSSQL_AUDIT_INITIAL_PULL_MINUTES      
MSSQL_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

MSSQL_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

MSSQL_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the MSSQL_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

MSSQL_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

MSSQL_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the MSSQL_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

MSSQL_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

MSSQL_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the MSSQL_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

MSSQL_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

MSSQL_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt.

2

PostgreSQL Connector#

Property Description Values Default Value
POSTGRES_ENABLE      
POSTGRES_SERVICE_TYPE      
POSTGRES_CONNECTOR_NAME      
POSTGRES_JDBC_DB      
POSTGRES_MASTER_DB      
POSTGRES_OWNER_ROLE

Use this property to set the owner for all the resources managed by PolicySync. The specified role will become owner for all managed resources. Privacera supports changing owners of database, schema, tables and views.

Note: If owner role is kept blank, then the user who creates the table/view or any object, they will become the owner of those object. This will not allow PolicySync to perform access control.

POSTGRES_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from Postgres.
  • load_md - It loads resources from Postgres with top-down resouces approach, that is, it first loads the database and then schemas, tables and columns successively. This mode is only for development purpose.
  • load_from_database_columns - It loads resources individaully by each resource type, that is, it loads all databases first, then loads all schemas, all tables and its columns successively. This mode is recommended for production purposes, since it is much faster than the load mode.
load_from_database_columns
POSTGRES_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Postgres after checking whether any new resource has been created or any changes are made in the existing resource. 60
POSTGRES_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for pricipal sync process. Principal sync is the process where the user/group/roles are loaded from the Postgres after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal. 420
POSTGRES_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Postgres, and then validates it with Ranger policies. If any difference is found, then required grants/revokes are triggered. 540
POSTGRES_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Postgres. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal. 30
POSTGRES_MANAGE_ENV_PREFIX      
POSTGRES_MANAGE_DATABASE_LIST

Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

testdb1,testdb2,sales_db*  
POSTGRES_MANAGE_SCHEMA_LIST

Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

customer.customer_schema1,customer.customer_schema2
or
customer.*
 
POSTGRES_MANAGE_TABLE_LIST

Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
POSTGRES_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
POSTGRES_SECURE_VIEW_ACCESS_BY_TABLE      
POSTGRES_IGNORE_ENV_PREFIX      
POSTGRES_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedance over manage database list. testdb1,testdb2,sales_db*  
POSTGRES_IGNORE_SCHEMA_LIST This property is used to set comma-separated database schemas on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedance over manage schema list. testdb1.schema1,testdb2.schema2,sales_db*.sales*
POSTGRES_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedance over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*
POSTGRES_MANAGE_USER_LIST

This property is used to set comma-separated user names on which you want access control to be managed by PolicySync.

To manage all the users:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore users list has precedance over manage users list.

user1,user2,dev_user*  
POSTGRES_MANAGE_GROUP_LIST

This property is used to set comma-separated group names on which you want access control to be managed by PolicySync.

To manage all the groups:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore group list has precedance over manage group list.

group1,group2,dev_group*  
POSTGRES_MANAGE_ROLE_LIST

This property is used to set comma-separated role names on which you want access control to be managed by PolicySync.

To manage all the roles:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore role list has precedance over manage role list.

role1,role2,dev_role*  
POSTGRES_MANAGE_USER_FILTERBY_GROUP PolicySync will manage users specified in POSTGRES_MANAGE_USER_LIST property only if they are associated with any group specified in POSTGRES_MANAGE_GROUP_LIST property. true, false false
POSTGRES_POLICY_NAME_SEPARATOR This property is used as a separator in the POSTGRES_ROW_FILTER_POLICY_NAME_TEMPLATE property. It is used when creating a name for native row filter policy. _priv_
POSTGRES_ROW_FILTER_POLICY_NAME_TEMPLATE This property is used to set the name for a row filter policy by using a template. For example, if customer_data is the table, customer_schema is the schema, customer_db is teh database, then customer_db_priv_customer_schema_priv_customer_data_{row_filter_item_number} will be the name of the row filter policy. {database}{separator}{schema}{separator}{table}
POSTGRES_MANAGE_USER_FILTERBY_ROLE PolicySync will manage users specified in POSTGRES_MANAGE_USER_LIST property only if they are associated with any role specified in POSTGRES_MANAGE_ROLE_LIST property. true, false false
POSTGRES_IGNORE_USER_LIST

This property is used to set comma-separated usernames on which you do not want access control to be managed by PolicySync. To manage all the users, do not define the property.

It supports wildcards. This has precedance over manage user list.

user1,user2,dev_user*  
POSTGRES_IGNORE_GROUP_LIST

This property is used to set comma-separated group names on which you do not want access control to be managed by PolicySync. To manage all the groups, do not define the property.

It supports wildcards. This has precedance over manage group list.

group1,group2,dev_group*  
POSTGRES_IGNORE_ROLE_LIST

This property is used to set comma-separated role names on which you do not want access control to be managed by PolicySync. To manage all the roles, do not define the property.

It supports wildcards. This has precedance over manage role list.

role1,role2,dev_role*  
POSTGRES_MANAGE_ENTITIES      
POSTGRES_MANAGE_USERS Use this property to manage the membership between user and user role. false, true true
POSTGRES_MANAGE_GROUPS Use this property to create roles in Postgres when groups are retrieved from Ranger. false, true true
POSTGRES_MANAGE_ROLES Use this property to create roles in Postgres when they are retrieved from Ranger. false, true true
POSTGRES_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Postgres.

false, true true
POSTGRES_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

This property is used to set maximum retry attempts to be made for granting or revoking the access if any failure is due to database connection errors.

2
POSTGRES_ENABLE_DATA_ADMIN

This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well.

false, true true
POSTGRES_ENABLE_MIGRATION

This property can be used to migrate old properties of Postgres PolicySync to the new ones. It includes cleaning up of native row filters policies created by the old properties, since the new properties will be creating it again with its own format of naming.

false, true true
POSTGRES_ENTITY_ROLE_PREFIX      
POSTGRES_USER_ROLE_PREFIX This propery is used to set a role prefix for users in Postgres when they are retrieved from Ranger. For example, if john is a user in Ranger and you have defined prefix as test_user_, then test_user_john is the role that will be created for john in Postgres.   priv_user_
POSTGRES_GROUP_ROLE_PREFIX This propery is used to set a role prefix for groups in Postgres when they are retrieved from Ranger. For example, if dev is a group in Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Postgres. priv_group_  
POSTGRES_ROLE_ROLE_PREFIX This propery is used to set a role prefix for roles in Postgres when they are retrieved from Ranger. For example, if finance is a role in Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Postgres. priv_role_  
POSTGRES_USE_NATIVE_PUBLIC_GROUP Set this property to true, if you want PolicySync to use Postgres' native Public group for access grants. It will be used whenever a policy is created with the Public group selected. false, true true
POSTGRES_ENABLE_ROW_FILTER Set this property to true, if you want to enable native row filter functionality. It is not recommened to be used, since the native row filters can only be created on tables, they can't be created on views. false, true false
POSTGRES_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns.

  0
POSTGRES_MASKED_DOUBLE_VALUE      
POSTGRES_MASKED_DOUBLE_VALUE      
POSTGRES_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns.

  '<MASKED>'
POSTGRES_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view-based row filter in Postgres PolicySync.

Note:- Postgres supports native row filters, but due to some limitations, it is recommended to use view-based row filter.

false, true true
POSTGRES_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view-based masking in Postgres PolicySync.

Note:- Postgres does not support native masking. It is recommended to use view-based masking.

false, true true
POSTGRES_SECURE_VIEW_SCHEMA_NAME      
POSTGRES_SECURE_VIEW_SCHEMA_NAME_PREFIX

By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

For {view_schema_name}, refer to POSTGRES_SECURE_VIEW_SCHEMA_NAME property.

   
POSTGRES_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

For {view_schema_name}, refer to POSTGRES_SECURE_VIEW_SCHEMA_NAME property.

   
POSTGRES_SECURE_VIEW_NAME_PREFIX By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}    
POSTGRES_SECURE_VIEW_NAME_POSTFIX By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}   _secure
POSTGRES_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Ranger.

false, true true
POSTGRES_AUDIT_ENABLE

This property is used to enable retrieving access audits from Postgres.

false, true false
POSTGRES_AUDIT_EXCLUDED_USERS

This property is used to set the list of users whose access audits you want to ignore. Set a list of comma-separated users.

POSTGRES_JDBC_USERNAME
POSTGRES_AUDIT_SOURCE

This property is used to set the mode through which we should be loading access audits. Access audits for AWS RDS Postgres only support SQS mode. It retrieves audits from the SQS queue.

sqs
POSTGRES_AWS_ACCESS_KEY

This property is used to set the AWS access key. It will be used to create an IAM client to access the SQS queue to get access audits. This should be used only if your deployment machine doesn't have an IAM role associated with it.

POSTGRES_AWS_SECRET_KEY

This property is used to set the AWS secret key. It will be used to create an IAM client to access the SQS queue to get access audits. This should be used only if your deployment machine doesn't have an IAM role associated with it.

POSTGRES_AWS_REGION

This property is used to set the AWS region where the SQS queue is stored.

us-east-1
POSTGRES_AWS_SQS_QUEUE_ENDPOINT

This property is used to set SQS endpoint URL. Set it if you use private VPC in your AWS account which doesn't have access to the internet. So you need to set a private endpoint here.

POSTGRES_AWS_SQS_QUEUE_NAME

This property is used to set the AWS SQS queue name from which you get access audits.

POSTGRES_AWS_SQS_QUEUE_MAX_POLL_MESSAGES

This property is used to set the number of messages to be retrieved from the SQS queue at one time and should be processed for auditing purposes.

100
POSTGRES_AUDIT_SQS_QUEUE_REGION      
POSTGRES_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t and then your secure schema name will be {schema_prefix}some_schema{schema_postfix}.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

POSTGRES_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table and then your secure name will be {prefix}some_name{postfix}.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

POSTGRES_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the POSTGRES_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POSTGRES_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the POSTGRES_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_

POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the POSTGRES_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POSTGRES_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_

POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the POSTGRES_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

POSTGRES_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_
POSTGRES_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
POSTGRES_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
POSTGRES_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
POSTGRES_CREATE_USER Use this property to create users in Postgres when they are retrieved from Ranger. false, true false
POSTGRES_CREATE_USER_ROLE Use this property to create user role in Postgres when they are retrieved from Ranger. false, true true

Redshift Connector#

Property Description Values Default Value
REDSHIFT_ENABLE Property to enable/disable the old properties of Redshift.    
REDSHIFT_V2_ENABLE Property to enable/disable the new properties of Redshift.   true
REDSHIFT_SERVICE_TYPE      
REDSHIFT_CONNECTOR_NAME      
REDSHIFT_MASTER_DB

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   
REDSHIFT_MANAGE_ENV_PREFIX

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   
REDSHIFT_OWNER_ROLE

Use this property to set the owner for all the resources managed by PolicySync. The specified role will become owner for all managed resources. Privacera supports changing owners of database, schema, tables and views.

Note: If owner role is kept blank, then the user who creates the table/view or any object, they will become the owner of those object. This will not allow PolicySync to perform access control.

REDSHIFT_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from Snowflake.
  • load_md - It loads resources from Redshift with top-down resouces approach, that is, it first loads the database and then schemas, tables and columns successively. This mode is only for development purpose.
  • load_from_database_columns - It loads resources individaully by each resource type, that is, it loads all databases first, then loads all schemas, all tables and its columns successively. This mode is recommended for production purposes, since it is much faster than the load mode.
load_from_database_columns
REDSHIFT_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Redshift after checking whether any new resource has been created or any changes are made in the existing resource. 60
REDSHIFT_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for pricipal sync process. Principal sync is the process where the user/group/roles are loaded from the Redshift after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal. 420
REDSHIFT_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Redshift, and then validates it with Ranger policies. If any difference is found, then required grants/revokes are triggered. 540
REDSHIFT_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Redshift. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal. 30
REDSHIFT_MANAGE_DATABASE_LIST

Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

testdb1,testdb2,sales_db*  
REDSHIFT_MANAGE_SCHEMA_LIST

Add the database schemas to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}
If the value is none, then no schemas will be managed.
If the value is specified as {database_name}.*, then all schemas will be managed.
Use comma-separated values to enter multiple schemas.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

customer.customer_schema1,customer.customer_schema2
or
customer.*
 
REDSHIFT_MANAGE_TABLE_LIST

Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
REDSHIFT_MANAGE_VIEW_LIST Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
Note: This property can be used only when REDSHIFT_ENABLE property is enabled.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
REDSHIFT_IGNORE_ENV_PREFIX

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   
REDSHIFT_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedance over manage database list. testdb1,testdb2,sales_db*  
REDSHIFT_IGNORE_SCHEMA_LIST This property is used to set comma-separated database schemas on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedance over manage schema list. testdb1.schema1,testdb2.schema2,sales_db*.sales*
REDSHIFT_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedance over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*
REDSHIFT_MANAGE_USER_LIST

This property is used to set comma-separated user names on which you want access control to be managed by PolicySync.

To manage all the users:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore users list has precedance over manage users list.

user1,user2,dev_user*  
REDSHIFT_MANAGE_GROUP_LIST

This property is used to set comma-separated group names on which you want access control to be managed by PolicySync.

To manage all the groups:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore group list has precedance over manage group list.

group1,group2,dev_group*  
REDSHIFT_MANAGE_ROLE_LIST

This property is used to set comma-separated role names on which you want access control to be managed by PolicySync.

To manage all the roles:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore role list has precedance over manage role list.

role1,role2,dev_role*  
REDSHIFT_MANAGE_USER_FILTERBY_GROUP Policysync will manage users specified in REDSHIFT_MANAGE_USER_LIST property only if they are associated with any group specified in REDSHIFT_MANAGE_GROUP_LIST true, false false
REDSHIFT_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in REDSHIFT_MANAGE_USER_LIST prop only if they are associated with any role specified in REDSHIFT_MANAGE_ROLE_LIST true, false false
REDSHIFT_IGNORE_USER_LIST

This property is used to set comma-separated usernames on which you do not want access control to be managed by PolicySync. To manage all the users, do not define the property.

It supports wildcards. This has precedance over manage user list.

user1,user2,dev_user*  
REDSHIFT_IGNORE_GROUP_LIST

This property is used to set comma-separated group names on which you do not want access control to be managed by PolicySync. To manage all the groups, do not define the property.

It supports wildcards. This has precedance over manage group list.

group1,group2,dev_group*  
REDSHIFT_IGNORE_ROLE_LIST

This property is used to set comma-separated role names on which you do not want access control to be managed by PolicySync. To manage all the roles, do not define the property.

It supports wildcards. This has precedance over manage role list.

role1,role2,dev_role*  
REDSHIFT_MANAGE_ENTITIES      
REDSHIFT_MANAGE_USERS Use this property to manage the membership between user and user role. false, true true
REDSHIFT_MANAGE_GROUPS Use this property to create roles in Redshift when groups are retrieved from Ranger. false, true true
REDSHIFT_MANAGE_ROLES Use this property to create roles in Redshift when they are retrieved from Ranger. false, true true
REDSHIFT_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Redshift.

false, true true
REDSHIFT_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

This property is used to set maximum retry attempts to be made for granting or revoking the access if any failure is due to database connection errors.

2
REDSHIFT_ENABLE_DATA_ADMIN

This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well.

false, true true
REDSHIFT_ENTITY_ROLE_PREFIX      
REDSHIFT_USER_ROLE_PREFIX This propery is used to set a role prefix for users in Redshift when they are retrieved from Ranger. For example, if john is a user in Ranger and you have defined prefix as test_user_, then test_user_john is the role that will be created for john in Redshift.   priv_user_
REDSHIFT_GROUP_ROLE_PREFIX This propery is used to set a role prefix for groups in Redshift when they are retrieved from Ranger. For example, if dev is a group in Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Redshift. priv_group_  
REDSHIFT_ROLE_ROLE_PREFIX This propery is used to set a role prefix for roles in Redshift when they are retrieved from Ranger. For example, if finance is a role in Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Redshift. priv_role_  
REDSHIFT_USE_NATIVE_PUBLIC_GROUP Set this property to true, if you want PolicySync to use Redshift' native Public group for access grants. It will be used whenever a policy is created with the Public group selected. false, true true
REDSHIFT_ENABLE_ROW_FILTER

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   
REDSHIFT_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns.

  0
REDSHIFT_MASKED_DOUBLE_VALUE

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   
REDSHIFT_MASKED_DATE_VALUE

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   
REDSHIFT_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns.

  '<MASKED>'
REDSHIFT_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view-based row filter in Redshift PolicySync.

Note:- Redshift supports native row filters, but due to some limitations, it is recommended to use view-based row filter.

true, false true
REDSHIFT_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view-based masking in Redshift PolicySync.

Note:- Redshift does not support native masking. It is recommended to use view-based masking.

true. false true
REDSHIFT_SECURE_VIEW_SCHEMA_NAME

By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property if you want to keep these secure views in a separate schema by providing a schema name in this property.

Note: This property can be used only when REDSHIFT_ENABLE property is enabled.

   

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX

REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the prefix and postfix of the secure view schema name, use these properties. After prefix and postfix is specified, the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

For {view_schema_name} refer to variable REDSHIFT_SECURE_VIEW_SCHEMA_NAME

   

REDSHIFT_SECURE_VIEW_NAME_PREFIX

REDSHIFT_SECURE_VIEW_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix}

   
REDSHIFT_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Ranger.

true, false false
REDSHIFT_AUDIT_ENABLE

This property is used to enable retrieving access audits from Redshift.

false, true false
REDSHIFT_AUDIT_EXCLUDED_USERS

This property is used to set the list of users whose access audits you want to ignore. Set a list of comma-separated users.

REDSHIFT_JDBC_USERNAME
REDSHIFT_AUDIT_INITIAL_PULL_MINUTES

When the audits are enabled for the first time, the value will decide the number of minutes you need to pull the access audits from the database, default value is 30 mins.

30
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t.

Enter a suffix string or a comma-separated list of suffix strings. 

_t,_v

 

REDSHIFT_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table.

Enter a suffix string or a comma-separated list of suffix strings. 

_view,_table

 

REDSHIFT_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the REDSHIFT_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

REDSHIFT_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the REDSHIFT_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_

REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the REDSHIFT_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

REDSHIFT_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_

REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the REDSHIFT_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

REDSHIFT_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_
REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
REDSHIFT_CREATE_USER Use this property to create users in Redshift when they are retrieved from Ranger. false, true true
REDSHIFT_CREATE_USER_ROLE Use this property to create user role in Redshift when they are retrieved from Ranger. false, true true

Databricks SQL#

Property Description Values Default Value
DATABRICKS_SQL_ANALYTICS_ENABLE Property to enable/disable the old properties of Databricks SQL Analytics. true, false true
DATABRICKS_SQL_ANALYTICS_V2_ENABLE Property to enable/disable the new properties of Databricks SQL Analytics. true, false false
DATABRICKS_SQL_ANALYTICS_SERVICE_TYPE     databricks_sql_analytics
DATABRICKS_SQL_ANALYTICS_CONNECTOR_NAME     DatabricksSQLAnalytics
DATABRICKS_SQL_ANALYTICS_JDBC_URL

This property used to set JDBC url which can be used to connect to Databricks SQL endpoint.

JDBC URL should follow below convention
jdbc:spark://<WORKSPACE_URL>:443/<DATABASE>;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890

Example :- jdbc:spark://example.cloud.databricks.com:443/default;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890

   
DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME This property used to set jdbc Username to be used to make connection to Databricks SQL endpoint. This is just an email used to log in to Databricks to manage the SQL endpoint. (ex. john.doe@privacera.com)    
DATABRICKS_SQL_ANALYTICS_JDBC_PASSWORD This is a personal access token used to access the Databricks SQL endpoint, that is created in Databricks by going to SQL endpoints > Create a personal access token. It should look like this: dapi71f8493xxxxx47d09e17a10ba8d53    
DATABRICKS_SQL_ANALYTICS_JDBC_DB This property used to set JDBC database to be used to make initial connection to Databricks SQL endpoint.   privacera_db
DATABRICKS_SQL_ANALYTICS_MANAGE_ENV_PREFIX

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_OWNER_ROLE

Use this property to set the owner for all the resources managed by PolicySync. The specified user will become owner for all managed resources and will have full control over all the resources. Privacera supports changing owners of database, tables and views.

Note: If owner role is kept blank, then the user who creates the table/view or any object, they will become the owner of those object. This will not allow PolicySync to perform access control.

DATABRICKS_SQL_ANALYTICS_HOST_URL

This property is used to make a call to SQL analytics API for users/groups/audits. It should be the base URL of Databricks, for example https://db1.cloud.databricks.com/

DATABRICKS_SQL_ANALYTICS_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from Databricks SQL. It should be not be changed - Databricks only supports the value load as a method for loading resources.
  • load - It loads resources from Databricks SQL endpoint with top-down resouces approach, that is, it first loads the database and then schemas, tables and columns successively.
load
DATABRICKS_SQL_ANALYTICS_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Databricks SQL after checking whether any new resource has been created or any changes are made in the existing resource. 60
DATABRICKS_SQL_ANALYTICS_PRINCIPAL_SYNC_INTERVAL This property is used to set the interval in seconds for pricipal sync process. Principal sync is the process where the user/group/roles are loaded from the Databricks SQL after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal. 420
DATABRICKS_SQL_ANALYTICS_PERMISSION_SYNC_INTERVAL This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Databricks SQL, and then validates it with Ranger policies. If any difference is found, then required grants/revokes are triggered. 540
DATABRICKS_SQL_ANALYTICS_AUDIT_SYNC_INTERVAL This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Databricks SQL. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal. 30
DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST

Add the database names to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}
Use comma-separated values to enter multiple databases.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

testdb1,testdb2,sales_db*  
DATABRICKS_SQL_ANALYTICS_MANAGE_TABLE_LIST

Add the database tables to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{table_name}
If the value is none, then no tables will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.
Use comma-separated values to enter multiple tables.

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore database list has precedance over manage database list.

customer.customer_schema1.table1,customer.customer_schema2.table2
or
customer.customer_schema.*
 
DATABRICKS_SQL_ANALYTICS_MANAGE_VIEW_LIST

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.



Add the database views to be managed by PolicySync.
Enter the value for the property in the following:
{database_name}.{schema_name}.{view_name}
If the value is kept blank, then all views will be managed.
If the value is none, then no views will be managed.
If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.
Use comma-separated values to enter multiple views.
Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.
customer.customer_schema1.view1,customer.customer_schema2.view2
or
customer.customer_schema.*
 
DATABRICKS_SQL_ANALYTICS_IGNORE_ENV_PREFIX

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_IGNORE_DATABASE_LIST This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedance over manage database list. testdb1,testdb2,sales_db*  
DATABRICKS_SQL_ANALYTICS_IGNORE_TABLE_LIST This property is used to set comma-separated database table/view on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedance over manage table list. testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*
DATABRICKS_SQL_ANALYTICS_IGNORE_VIEW_LIST

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_DEFAULT_USER_PASSWORD      
DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITY_PREFIX      
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST

This property is used to set comma-separated user names on which you want access control to be managed by PolicySync.

To manage all the users:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore users list has precedance over manage users list.

user1,user2,dev_user*  
DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST

This property is used to set comma-separated group names on which you want access control to be managed by PolicySync.

To manage all the groups:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore group list has precedance over manage group list.

group1,group2,dev_group*  
DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST

This property is used to set comma-separated role names on which you want access control to be managed by PolicySync.

To manage all the roles:

  • If you are using the new properties, do not define the property.
  • If you are using the old properties, define the property but keep the value blank.

It supports wildcards. The ignore role list has precedance over manage role list.

role1,role2,dev_role*  
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP Policysync will manage users specified in DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST property only if they are associated with any group specified in DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST true, false false
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_ROLE Policy-sync will manage users specified in DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST prop only if they are associated with any role specified in DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST true, false false
DATABRICKS_SQL_ANALYTICS_IGNORE_ENTITY_PREFIX      
DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST

This property is used to set comma-separated usernames on which you do not want access control to be managed by PolicySync. To manage all the users, do not define the property.

It supports wildcards. This has precedance over manage user list.

user1,user2,dev_user*  
DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST

This property is used to set comma-separated group names on which you do not want access control to be managed by PolicySync. To manage all the groups, do not define the property.

It supports wildcards. This has precedance over manage group list.

group1,group2,dev_group*  
DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST

This property is used to set comma-separated role names on which you do not want access control to be managed by PolicySync. To manage all the roles, do not define the property.

It supports wildcards. This has precedance over manage role list.

role1,role2,dev_role*  
DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITIES      
DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS Use this property to create roles in Redshift when groups are retrieved from Ranger. false, true true
DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES Use this property to create roles in Redshift when they are retrieved from Ranger. false, true true
DATABRICKS_SQL_ANALYTICS_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Databricks SQL.

false, true true
DATABRICKS_SQL_ANALYTICS_ENABLE_DATA_ADMIN

This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well.

false, true true
DATABRICKS_SQL_ANALYTICS_USE_HIVE_ACCESS_POLICIES

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

Use privacera_hive service instead of privacera_databricks_sql_analytics. After setting the PM property the policysync will start syncing the policies from privacera_hive and the only highlight will be the deny and execulde from allow/deny will not work as expected. Because the policysync only support Allow condition for now.

false, true true
DATABRICKS_SQL_ANALYTICS_ENTITY_ROLE_PREFIX     priv_
DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX This propery is used to set a role prefix for groups in Databricks SQL when they are retrieved from Ranger. For example, if dev is a group in Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Databricks SQL. priv_group_  
DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX This propery is used to set a role prefix for roles in Databricks SQL when they are retrieved from Ranger. For example, if finance is a role in Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Databricks SQL. priv_role_  
DATABRICKS_SQL_ANALYTICS_USE_NATIVE_PUBLIC_GROUP Set this property to true, if you want PolicySync to use Databricks SQL's native Public group for access grants. It will be used whenever a policy is created with the Public group selected. false, true true
DATABRICKS_SQL_ANALYTICS_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns.

  0
DATABRICKS_SQL_ANALYTICS_MASKED_DOUBLE_VALUE

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_MASKED_DATE_VALUE

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view-based row filter in Databricks SQL PolicySync.

Note:- Databricks SQL supports native row filters, but due to some limitations, it is recommended to use view-based row filter.

true, false true
DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view-based masking in Databricks SQL PolicySync.

Note:- Databricks SQL does not support native masking. It is recommended to use view-based masking.

true. false true
DATABRICKS_SQL_ANALYTICS_SECURE_DATABASE_NAME

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_SECURE_DATABASE_NAME_PREFIX

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_SECURE_DATABASE_NAME_POSTFIX

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX

By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix}

   
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix}

  _secure
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX

By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix}

   
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_PREFIX

By default, view-based row filter and masking related secure views have the same name as the table database name. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{view_database_name}{postfix}

 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_POSTFIX

By default, view-based row filter and masking related secure views have the same name as the table database name. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{view_database_name}{postfix}

 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. and then your secure name will be {prefix}some_name{postfix} Enter a suffix string or a comma-separated list of suffix strings.

 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema is some_name_schema, you can remove the suffix, _schema. and then your secure schema name will be {schema_prefix}some_schema{schema_postfix} Enter a suffix string or a comma-separated list of suffix strings.

 
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Ranger.

true, false false
DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_MASKING

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

  TRUE
DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_EXCEPTION

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

  FALSE
DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_EXCEPTION_FUNCTION

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

  {database}.PUBLIC.ThrowColumnAccessException('{col}')
DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_NUMBER_VALUE

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_DOUBLE_VALUE

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

   
DATABRICKS_SQL_ANALYTICS_AUDIT_ENABLE

This property is used to enable retrieving access audits from Databricks SQL.

false, true true
DATABRICKS_SQL_ANALYTICS_AUDIT_INITIAL_PULL_MINUTES

When the audits are enabled for the first time, the value will decide the number of minutes you need to pull the access audits from the database, default value is 30 mins.

30

DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by the regex specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_

DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_

DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING variable.

If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING

The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX variable.

If kept blank, no find and replace operation is performed.

The default value is an underscore (_).

_
DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading users using Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading groups using Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading roles using Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Ranger.

When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false, true false
DATABRICKS_SQL_ANALYTICS_CREATE_USER Use this property to create users in Databricks SQL when they are retrieved from Ranger. false, true false

DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_ACCESS_BY_TABLE

The value of this variable should be set to true if you want to apply grants on secure views by using the table policy itself.

Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

true, false true
DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE Specify the text value to be displayed in columns of secure view (columns which don't have Select permission) when column-level access control is applied on the table. For example, DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE: "'# REDACTED #'"
Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled.

'# REDACTED #'

DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE Specify the text value to be displayed in columns of secure view (columns which has masking policies) when column masking is applied on table. For example, DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE: "'<MASKED>'" '<MASKED>'

Google BigQuery Connector#

Property Description Values Default Value
BIGQUERY_LOAD_RESOURCES_KEY This property controls which method to be used to load resources from BigQuery.
  • load_md - It loads resources from BigQuery with a top-down resouces approach, that is, it first loads the project and then the dataset followed by tables and its columns, This mode is only for development purposes.
  • load_from_database_columns - It loads resources one by one for each resource type that is, it loads all projects first, then it loads all datasets in all databases, followed by all tables in all datasets and its columns. This mode is recommended since it is faster than the load mode.
load_from_dataset_columns
BIGQUERY_RESOURCE_SYNC_INTERVAL This property is used to set the interval in seconds for the resource sync process. Resource sync is the process where we load the resources from BigQuery to check whether any new resource has been created or there is any change in the existing resource. This process happens in the defined interval time. 60
BIGQUERY_PRINCIPAL_SYNC_INTERVAL

This property is used to set the interval in seconds for principal sync process. Principal sync is the process where we load the user/group/roles from BigQuery to check which users/groups/roles are created and membership between them. This process happens in the defined interval time.

420
BIGQUERY_PERMISSION_SYNC_INTERVAL

This property is used to set the interval in seconds for syncing the existing policies sync. Existing policies are synced where we load the permissions or policies which are already synced to BigQuery, and then validate it with Ranger policies. If differences are found, then required grants/revokes are triggered. This process happens in the defined interval time.

540
BIGQUERY_AUDIT_SYNC_INTERVAL

This property is used to set the interval in seconds for getting the access audits. Access audits are retrieved from the BigQuery and then pushed to Solr, so they can be displayed on Privacera Access Audit Page. This process happens in the defined interval time.

30
BIGQUERY_IGNORE_PROJECT_LIST

This property is used to set comma-separated project names which you don't want access control to be managed by PolicySync. If you don't want to ignore any project then keep the value blank. It supports wildcards. This has precedence over the managed project list.

For example, testproject1,testproject2,sales_project*

>
BIGQUERY_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
BIGQUERY_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in the user name regex property. If kept blank, no find and replace operation is performed.

_
BIGQUERY_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
BIGQUERY_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in the group name regex property. If kept blank, no find and replace operation is performed.

_
BIGQUERY_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]
BIGQUERY_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified in the role name regex property. If kept blank, no find and replace operation is performed.

_
BIGQUERY_NATIVE_PUBLIC_GROUP_IDENTITY_NAME

The value specified in this property is used to replace the characters found by the regex specified in the role name regex property. If kept blank, no find and replace operation is performed.

  • ALL_AUTHENTICATED_USERS - all GCP project authenticated users.
  • ALL_USERS - all google authenticated users.
BIGQUERY_MANAGE_USER_FILTERBY_ROLE

Set this property to true, if you want to manage only the users who belong to the roles defined in manage roles list property.

true, false false
BIGQUERY_POLICY_NAME_SEPARATOR

This property is used to set separator, which will be used while creating  a name for native row filter policy.

_
BIGQUERY_ROW_FILTER_POLICY_NAME_TEMPLATE

This property is used as a template to create native row filter policy names. For example, multiple native row filters added on the table will look like row_filter_item_1, row_filter_item_2, etc.

row_filter_item_
BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create a secure view for all tables and all views created by users. This will create a secure view for resources regardless of whether there is any masking/row filter policy that exists in Ranger.

true, false true
BIGQUERY_MASKING_FUNCTIONS_DATASET

This property is used to set the name of the dataset in the GCP project to create custom masking functions required by PolicySync.

privacera_dataset
BIGQUERY_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns.

0
BIGQUERY_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns.

'<MASKED>'
BIGQUERY_SECURE_VIEW_NAME_PREFIX

By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

BIGQUERY_SECURE_VIEW_NAME_POSTFIX

By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

BIGQUERY_SECURE_VIEW_DATASET_NAME_PREFIX

By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

BIGQUERY_SECURE_VIEW_DATASET_NAME_POSTFIX

By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}

_secure
BIGQUERY_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. and then your secure name will be {prefix}some_name{postfix}

Enter a suffix string or a comma-separated list of suffix strings.

BIGQUERY_SECURE_VIEW_DATASET_NAME_REMOVE_SUFFIX_LIST

You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema is some_name_schema, you can remove the suffix, _schema. and then your secure schema name will be {schema_prefix}some_schema{schema_postfix}

Enter a suffix string or a comma-separated list of suffix strings.

/td>
BIGQUERY_ENABLE_AUTHORIZED_VIEW_ACL_UPDATER

This property is used to enable asynchronized authorized view ACLs updater, it updates the dataset ACLs with authorized secure view names, This is done periodically by batching the requests for one or more views.

true, false true
BIGQUERY_AUTHORIZED_VIEW_ACL_UPDATER_INTERVAL

This property is used to set a time interval in which the authorized view ACL's updater thread can update authorized view ACLs permissions in the dataset if any permissions are pending to be applied.

10
BIGQUERY_GRANT_UPDATES

This property controls whether actual grant/revoke should be run on BigQuery.

true, false true
BIGQUERY_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

This property is used to set max retry attempts to be made for granting or revoking the access if there is any failure due to database connection errors.

2
BIGQUERY_GRANT_UPDATES_BATCH

This property enables the batching of applying grants/revokes to the BigQuery. This improves overall performance when applying any permission changes on the BigQuery.

true, false true
BIGQUERY_ENABLE_DATA_ADMIN

This property is used to enable data admin feature. It allows you to create all the policies on table/native view. By default, respective grants will be made on secure view of table or native view. This secure view will have row filter and masking capability. If you need permissions on the table, then you can select the permissions you want along with the dataadmin in the policy. The permissions will be granted on both, the table/native view and its secure view.

true, false true
BIGQUERY_AUDIT_ENABLE

This property is used to enable retrieving access audits from BigQuery.

true, false false
BIGQUERY_AUDIT_EXCLUDED_USERS

This property is used to set the list of users whose access audits you want to ignore. It takes a list of comma-separated email addresses of the users.

BIGQUERY_OAUTH_SERVICE_ACCOUNT_EMAIL
BIGQUERY_AUDIT_PROJECT_ID

This property is used to set the project ID. It will be used when running the query to retrieve the audits from BigQuery.

BIGQUERY_AUDIT_DATASET_NAME

This property is used to set the dataset name. It will be used when running the query to get the audits from BigQuery.