PolicySync#
The following table contains the list of custom properties that can be configured for PolicySync connectors. To use a custom property from the table, just add it to the following YML file in the custom-vars folder configured as per your environment:
- vars.policysync.snowflake.yml
- vars.policysync.postgres.yml
- vars.policysync.mssql.yml
- vars.policysync.redshift.yml
- vars.policysync.databricks.sql.analytics.yml
| Property | Description | Values | Values |
|---|---|---|---|
| POLICYSYNC_IMAGE_NAME | |||
| POLICYSYNC_IMAGE_TAG | |||
| POLICYSYNC_ENABLE | true, false | false |
Common#
| Property | Description | Values | Default Value |
|---|---|---|---|
|
POLICYSYNC_USERLOADER_RANGER_PERSIST_CASE_SENSITIVITY
|
Note: Use this property with the old PolicySync properties. After loading user/group/roles from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
true, false |
false |
|
POLICYSYNC_V2_USERLOADER_RANGER_PERSIST_CASE_SENSITIVITY
|
Note: Use this property with the new PolicySync properties. After loading user/group/roles from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
true, false |
false |
| Memory Variables | |||
| POLICYSYNC_HEAP_MIN_MEMORY_MB | Minimum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MIN_MEMORY_MB: "1024" | ||
| POLICYSYNC_HEAP_MIN_MEMORY | Minimum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MIN_MEMORY_MB. For example, POLICYSYNC_HEAP_MIN_MEMORY: "1g" | ||
| POLICYSYNC_HEAP_MAX_MEMORY_MB | Maximum Java Heap memory in MB used by PolicySync. For example, POLICYSYNC_HEAP_MAX_MEMORY_MB: "1024" | ||
| POLICYSYNC_HEAP_MAX_MEMORY | Maximum Java Heap memory used by PolicySync. Setting this value will override POLICYSYNC_HEAP_MAX_MEMORY_MB. For example, POLICYSYNC_HEAP_MAX_MEMORY: "1g" | ||
| POLICYSYNC_K8S_MEM_REQUESTS_MB | Minimum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_REQUESTS_MB: "1024" | ||
| POLICYSYNC_K8S_MEM_REQUESTS | Minimum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_REQUESTS_MB. For example, POLICYSYNC_K8S_MEM_REQUESTS: "1G" | ||
| POLICYSYNC_K8S_MEM_LIMITS_MB | Maximum amount of Kubernetes memory in MB to be requested by PolicySync. For example, POLICYSYNC_K8S_MEM_LIMITS_MB: "1024" | ||
| POLICYSYNC_K8S_MEM_LIMITS | Maximum amount of Kubernetes memory to be used by PolicySync. Setting this value will override POLICYSYNC_K8S_MEM_LIMITS_MB. For example, POLICYSYNC_K8S_MEM_LIMITS: "1G" | ||
| POLICYSYNC_CPU_MIN | Minimum amount of Kubernetes CPU to be requested by PolicySync. For example, POLICYSYNC_CPU_MIN: "0.5" | ||
| POLICYSYNC_CPU_MAX | Maximum amount of Kubernetes CPU to be used by PolicySync. For example, POLICYSYNC_CPU_MAX: "0.5" |
Connectors Global Properties#
Snowflake Connector#
| Property | Description | Values | Default Value |
|---|---|---|---|
| SNOWFLAKE_ENABLE | |||
| SNOWFLAKE_SERVICE_TYPE | |||
| SNOWFLAKE_CONNECTOR_NAME | |||
| SNOWFLAKE_MANAGE_ENV_PREFIX | |||
| SNOWFLAKE_MANAGE_WAREHOUSE_LIST | |||
| SNOWFLAKE_MANAGE_DATABASE_LIST | Add the database names to be managed by PolicySync. Enter the value for the property in the following: {database_name} Use comma-separated values to enter multiple databases. |
customer,sales | SNOWFLAKE_MANAGE_SCHEMA_LIST | Add the database schemas to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name} If the value is kept blank, then all schemas will be managed. If the value is none, then no schemas will be managed.If the value is specified as {database_name}.*, then all schemas will be managed.Use comma-separated values to enter multiple schemas. |
customer.customer_schema1,customer.customer_schema2 or customer.* |
SNOWFLAKE_MANAGE_TABLE_LIST | Add the database tables to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{table_name} If the value is kept blank, then all tables will be managed. If the value is none, then no tables will be managed.If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.Use comma-separated values to enter multiple tables. |
customer.customer_schema1.table1,customer.customer_schema2.table2 or customer.customer_schema.* |
SNOWFLAKE_MANAGE_VIEW_LIST | Add the database views to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{view_name} If the value is kept blank, then all views will be managed. If the value is none, then no views will be managed.If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.Use comma-separated values to enter multiple views. |
customer.customer_schema1.view1,customer.customer_schema2.view2 or customer.customer_schema.* |
| SNOWFLAKE_IGNORE_ENV_PREFIX | |||
| SNOWFLAKE_IGNORE_WAREHOUSE_LIST | |||
| SNOWFLAKE_IGNORE_DATABASE_LIST |
Add the Snowflake databases on which you do not want to apply PolicySync. You can add multiple, comma-separated databases. By default, DEMO_DB, SNOWFLAKE, UTIL_DB, and SNOWFLAKE_SAMPLE_DATA are the databases that have been ignored. It is recommonded not to remove them from the property, when adding new databases to the list. Note: Acces-conntrol is not be applied on the databases that have been imported into Snowflake from a different source. It is recommended to add the imported databases to the list of databases to be ignored. The following is an example of the property. Its value contains the default databases, and
|
DEMO_DB,SNOWFLAKE,UTIL_DB,SNOWFLAKE_SAMPLE_DATA | |
| SNOWFLAKE_MANAGE_USER_LIST | |||
| SNOWFLAKE_MANAGE_GROUP_LIST | |||
| SNOWFLAKE_MANAGE_ROLE_LIST | |||
| SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP | To perform the policysync operations only on the users which are present in the certain specified groups, we need to set this variable value to true. | true, false | false |
| SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE | To perform the policysync operations only on the users which are present in the certain specified roles, we need to set this variable value to true. | true, false | false |
| SNOWFLAKE_IGNORE_USER_LIST | |||
| SNOWFLAKE_IGNORE_GROUP_LIST | |||
| SNOWFLAKE_IGNORE_ROLE_LIST | |||
| SNOWFLAKE_MANAGE_ENTITIES | |||
| SNOWFLAKE_MANAGE_USERS | |||
| SNOWFLAKE_MANAGE_ROLES | |||
| SNOWFLAKE_GRANT_UPDATES | |||
| SNOWFLAKE_ENTITY_ROLE_PREFIX | |||
| SNOWFLAKE_USER_ROLE_PREFIX | |||
| SNOWFLAKE_GROUP_ROLE_PREFIX | |||
| SNOWFLAKE_ROLE_ROLE_PREFIX | |||
| SNOWFLAKE_ENABLE_MASKING | |||
| SNOWFLAKE_MASKING_POLICY_DB | |||
| SNOWFLAKE_MASKING_POLICY_SCHEMA | |||
| SNOWFLAKE_PEG_FUNCTION_DB | |||
| SNOWFLAKE_PEG_FUNCTION_SCHEMA | |||
| SNOWFLAKE_MASKED_NUMBER_VALUE | |||
| SNOWFLAKE_MASKED_DOUBLE_VALUE | |||
| SNOWFLAKE_MASKED_DATE_VALUE | |||
| SNOWFLAKE_MASKED_TEXT_VALUE | |||
| SNOWFLAKE_ENABLE_VIEW_BASED_ROW_FILTER | Some SQL Databases do not have native capability to provide row filters. As an alternative to row filters on tables, you can create a view based on the row filter conditions specified in the Ranger Row Filter policy. And you can query on these secure views. |
true, false | true |
| SNOWFLAKE_ENABLE_VIEW_BASED_MASKING | Some SQL Databases do not have native capability to provide masking. As an alternative to masking on tables, you can create a view based on the masking conditions specified in the Ranger Masking policy. And you can query on these secure views. |
true, false | false |
| SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME | By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property, if you want to keep these secure views in a separate schema by providing schema name in this property. |
||
SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_PREFIX SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_POSTFIX |
By default view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} For {view_schema_name} refer to variable SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME |
||
SNOWFLAKE_SECURE_VIEW_NAME_PREFIX SNOWFLAKE_SECURE_VIEW_NAME_POSTFIX |
By default view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix} |
||
| SNOWFLAKE_SECURE_VIEW_CREATE_FOR_ALL | If you want to create secure views regardless of masking/row filter policy that exist in Privacera Ranger, then set this to true |
true, false | false |
| SNOWFLAKE_ENABLE_COLUMN_ACCESS_MASKING | |||
| SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION | |||
| SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION_FUNCTION | |||
| SNOWFLAKE_COLUMN_ACCESS_CONTROL_NUMBER_VALUE | |||
| SNOWFLAKE_COLUMN_ACCESS_CONTROL_DOUBLE_VALUE | |||
| SNOWFLAKE_COLUMN_ACCESS_CONTROL_TEXT_VALUE | |||
| SNOWFLAKE_AUDIT_ENABLE | |||
| SNOWFLAKE_ENABLE_AUDIT_SOURCE_SIMPLE | |||
| SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE | |||
| SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE | |||
| SNOWFLAKE_AUDIT_INITIAL_PULL_MINUTES | |||
| SNOWFLAKE_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t. Enter a suffix string or a comma-separated list of suffix strings. |
_t,_v |
|
| SNOWFLAKE_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. Enter a suffix string or a comma-separated list of suffix strings. |
_view,_table |
|
|
SNOWFLAKE_CREATE_USER |
Set this value to true if you want policysync to create users in the snowflake. Set value to false when you don’t want policysync to create users in your snowflake account or if they are already created. |
true, false |
true |
|
SNOWFLAKE_CREATE_USER_ROLE |
Set this value to true if you want policysync to create user roles in the snowflake. Set value to false when you don’t want policysync to create users in your snowflake account. |
true, false |
true |
|
SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in SNOWFLAKE_USER_NAME_REPLACE_TO_STRING property. If kept blank, no find and replace operation is performed. |
|
|
|
SNOWFLAKE_USER_NAME_REPLACE_TO_STRING |
The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX property. If kept blank, no find and replace operation is performed. |
|
|
|
SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING property. If kept blank, no find and replace operation is performed. |
|
|
|
SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING |
The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX property. If kept blank, no find and replace operation is performed. |
|
|
|
SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property. If kept blank, no find and replace operation is performed. |
|
|
|
SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING |
The value specified in this property is used to replace the characters found by the regex specified in SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX property. If kept blank, no find and replace operation is performed. |
|
|
|
SNOWFLAKE_USER_LOGIN_NAME_USE_EMAIL |
Set this property to true when policysync creates users in Snowflake and you want to use the user's email address as a login name. |
true, false |
false |
| SNOWFLAKE_GRANT_UPDATES_MAX_RETRY_ATTEMPTS | When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt. |
2 |
MSSQL Connector#
| Property | Description | Values | Default Value |
|---|---|---|---|
| MSSQL_ENABLE | |||
| MSSQL_SERVICE_TYPE | |||
| MSSQL_CONNECTOR_NAME | |||
| MSSQL_MASTER_DB | |||
| MSSQL_WAREHOUSE_TO_USE | |||
| MSSQL_LOAD_RESOURCE_FROM_COLUMNS |
Set to true if you want to load the resources from MSSQL/Synapse database by using columns list. Note: This is an experimental and not production-ready. |
true, false | false |
| MSSQL_MANAGE_ENV_PREFIX | |||
| MSSQL_MANAGE_DATABASE_LIST | Add the database name to be managed by PolicySync. Enter the value for the property in the following: {database_name} Use only single value for MSSQL. |
customer | |
| MSSQL_MANAGE_SCHEMA_LIST | Add the database schemas to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name} If the value is kept blank, then all schemas will be managed. If the value is none, then no schemas will be managed.If the value is specified as {database_name}.*, then all schemas will be managed.Use comma-separated values to enter multiple schemas. |
customer.customer_schema1,customer.customer_schema2 or customer.* |
|
| MSSQL_MANAGE_TABLE_LIST | Add the database tables to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{table_name} If the value is kept blank, then all tables will be managed. If the value is none, then no tables will be managed.If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed.Use comma-separated values to enter multiple tables. |
customer.customer_schema1.table1,customer.customer_schema2.table2 or customer.customer_schema.* |
MSSQL_MANAGE_VIEW_LIST | Add the database views to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{view_name} If the value is kept blank, then all views will be managed. If the value is none, then no views will be managed.If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.Use comma-separated values to enter multiple views. |
customer.customer_schema1.view1,customer.customer_schema2.view2 or customer.customer_schema.* |
| MSSQL_IGNORE_DATABASE_LIST | |||
| MSSQL_MANAGE_USER_LIST | |||
| MSSQL_MANAGE_GROUP_LIST | |||
| MSSQL_MANAGE_GROUP_LIST | |||
| MSSQL_MANAGE_ROLE_LIST | |||
| MSSQL_MANAGE_USER_FILTERBY_GROUP | Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST prop only if they are associated with any group specified in MSSQL_MANAGE_GROUP_LIST | true, false | false |
| MSSQL_MANAGE_USER_FILTERBY_ROLE | Policy-sync will manage users specified in MSSQL_MANAGE_USER_LIST prop only if they are associated with any role specified in MSSQL_MANAGE_ROLE_LIST | true, false | false |
| MSSQL_IGNORE_USER_LIST | |||
| MSSQL_IGNORE_GROUP_LIST | |||
| MSSQL_IGNORE_ROLE_LIST | |||
| MSSQL_MANAGE_ENTITIES | |||
| MSSQL_MANAGE_USERS | |||
| MSSQL_MANAGE_GROUPS | |||
| MSSQL_MANAGE_ROLES | |||
| MSSQL_USER_LOAD_KEY | |||
| MSSQL_GRANT_UPDATES | |||
| MSSQL_APPLY_WITH_SEPARATE_THREAD | |||
| MSSQL_ENTITY_ROLE_PREFIX | |||
| MSSQL_USER_ROLE_PREFIX | |||
| MSSQL_GROUP_ROLE_PREFIX | |||
| MSSQL_ROLE_ROLE_PREFIX | |||
| MSSQL_ENABLE_ROW_FILTER | |||
| MSSQL_ENABLE_MASKING | |||
| MSSQL_MASKED_NUMBER_VALUE | |||
| MSSQL_MASKED_DOUBLE_VALUE | |||
| MSSQL_MASKED_DATE_VALUE | |||
| MSSQL_MASKED_TEXT_VALUE | |||
| MSSQL_ENABLE_VIEW_BASED_ROW_FILTER | |||
| MSSQL_ENABLE_VIEW_BASED_MASKING | |||
| MSSQL_SECURE_VIEW_SCHEMA_NAME | |||
| MSSQL_SECURE_VIEW_SCHEMA_NAME_PREFIX | |||
| MSSQL_SECURE_VIEW_SCHEMA_NAME_POSTFIX | |||
| MSSQL_SECURE_VIEW_NAME_PREFIX | |||
| MSSQL_SECURE_VIEW_NAME_POSTFIX | |||
| MSSQL_SECURE_VIEW_CREATE_FOR_ALL | |||
| MSSQL_AUDIT_ENABLE | |||
| MSSQL_AUDIT_LOAD_KEY | |||
| MSSQL_AUDIT_INITIAL_PULL_MINUTES | |||
| MSSQL_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t. Enter a suffix string or a comma-separated list of suffix strings. |
_t,_v |
|
| MSSQL_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. Enter a suffix string or a comma-separated list of suffix strings. |
_view,_table |
|
|
MSSQL_USER_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the MSSQL_USER_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
||
|
MSSQL_USER_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_USER_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. |
||
|
MSSQL_GROUP_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the MSSQL_GROUP_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
||
|
MSSQL_GROUP_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_GROUP_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. |
||
|
MSSQL_ROLE_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the MSSQL_ROLE_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
||
|
MSSQL_ROLE_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the MSSQL_ROLE_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. |
||
| MSSQL_GRANT_UPDATES_MAX_RETRY_ATTEMPTS | When a query fails while applying permissions, it tries to apply the query again. To minimize the risk of invalid cases, set a maximum retry attempt. |
2 |
PostgreSQL Connector#
| Property | Description | Values | Default Value |
|---|---|---|---|
| POSTGRES_ENABLE | |||
| POSTGRES_SERVICE_TYPE | |||
| POSTGRES_CONNECTOR_NAME | |||
| POSTGRES_JDBC_DB | |||
| POSTGRES_MASTER_DB | |||
| POSTGRES_OWNER_ROLE |
Use this property to set the owner for all the resources managed by PolicySync. The specified role will become owner for all managed resources. Privacera supports changing owners of database, schema, tables and views. Note: If owner role is kept blank, then the user who creates the table/view or any object, they will become the owner of those object. This will not allow PolicySync to perform access control. |
||
| POSTGRES_LOAD_RESOURCES_KEY | This property controls which method to be used to load resources from Postgres. |
|
load_from_database_columns |
| POSTGRES_RESOURCE_SYNC_INTERVAL | This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Postgres after checking whether any new resource has been created or any changes are made in the existing resource. | 60 | |
| POSTGRES_PRINCIPAL_SYNC_INTERVAL | This property is used to set the interval in seconds for pricipal sync process. Principal sync is the process where the user/group/roles are loaded from the Postgres after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal. | 420 | |
| POSTGRES_PERMISSION_SYNC_INTERVAL | This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Postgres, and then validates it with Ranger policies. If any difference is found, then required grants/revokes are triggered. | 540 | |
| POSTGRES_AUDIT_SYNC_INTERVAL | This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Postgres. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal. | 30 | |
| POSTGRES_MANAGE_ENV_PREFIX | |||
| POSTGRES_MANAGE_DATABASE_LIST |
Add the database names to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
testdb1,testdb2,sales_db* | |
| POSTGRES_MANAGE_SCHEMA_LIST |
Add the database schemas to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
customer.customer_schema1,customer.customer_schema2 or customer.* |
POSTGRES_MANAGE_TABLE_LIST |
Add the database tables to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
customer.customer_schema1.table1,customer.customer_schema2.table2 or customer.customer_schema.* |
| POSTGRES_MANAGE_VIEW_LIST | Add the database views to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{view_name} If the value is kept blank, then all views will be managed. If the value is none, then no views will be managed.If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.Use comma-separated values to enter multiple views. |
customer.customer_schema1.view1,customer.customer_schema2.view2 or customer.customer_schema.* |
|
| POSTGRES_SECURE_VIEW_ACCESS_BY_TABLE | |||
| POSTGRES_IGNORE_ENV_PREFIX | |||
| POSTGRES_IGNORE_DATABASE_LIST | This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedance over manage database list. | testdb1,testdb2,sales_db* | |
| POSTGRES_IGNORE_SCHEMA_LIST | This property is used to set comma-separated database schemas on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedance over manage schema list. | testdb1.schema1,testdb2.schema2,sales_db*.sales* | |
| POSTGRES_IGNORE_TABLE_LIST | This property is used to set comma-separated database table/view on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedance over manage table list. | testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.* | |
| POSTGRES_MANAGE_USER_LIST | This property is used to set comma-separated user names on which you want access control to be managed by PolicySync. To manage all the users:
It supports wildcards. The ignore users list has precedance over manage users list. |
user1,user2,dev_user* | |
| POSTGRES_MANAGE_GROUP_LIST | This property is used to set comma-separated group names on which you want access control to be managed by PolicySync. To manage all the groups:
It supports wildcards. The ignore group list has precedance over manage group list. |
group1,group2,dev_group* | |
| POSTGRES_MANAGE_ROLE_LIST | This property is used to set comma-separated role names on which you want access control to be managed by PolicySync. To manage all the roles:
It supports wildcards. The ignore role list has precedance over manage role list. |
role1,role2,dev_role* | |
| POSTGRES_MANAGE_USER_FILTERBY_GROUP | PolicySync will manage users specified in POSTGRES_MANAGE_USER_LIST property only if they are associated with any group specified in POSTGRES_MANAGE_GROUP_LIST property. | true, false | false |
| POSTGRES_POLICY_NAME_SEPARATOR | This property is used as a separator in the POSTGRES_ROW_FILTER_POLICY_NAME_TEMPLATE property. It is used when creating a name for native row filter policy. | _priv_ | |
| POSTGRES_ROW_FILTER_POLICY_NAME_TEMPLATE | This property is used to set the name for a row filter policy by using a template. For example, if customer_data is the table, customer_schema is the schema, customer_db is teh database, then customer_db_priv_customer_schema_priv_customer_data_{row_filter_item_number} will be the name of the row filter policy. | {database}{separator}{schema}{separator}{table} | |
| POSTGRES_MANAGE_USER_FILTERBY_ROLE | PolicySync will manage users specified in POSTGRES_MANAGE_USER_LIST property only if they are associated with any role specified in POSTGRES_MANAGE_ROLE_LIST property. | true, false | false |
| POSTGRES_IGNORE_USER_LIST | This property is used to set comma-separated usernames on which you do not want access control to be managed by PolicySync. To manage all the users, do not define the property. It supports wildcards. This has precedance over manage user list. |
user1,user2,dev_user* | |
| POSTGRES_IGNORE_GROUP_LIST | This property is used to set comma-separated group names on which you do not want access control to be managed by PolicySync. To manage all the groups, do not define the property. It supports wildcards. This has precedance over manage group list. |
group1,group2,dev_group* | |
| POSTGRES_IGNORE_ROLE_LIST | This property is used to set comma-separated role names on which you do not want access control to be managed by PolicySync. To manage all the roles, do not define the property. It supports wildcards. This has precedance over manage role list. |
role1,role2,dev_role* | |
| POSTGRES_MANAGE_ENTITIES | |||
| POSTGRES_MANAGE_USERS | Use this property to manage the membership between user and user role. | false, true | true |
| POSTGRES_MANAGE_GROUPS | Use this property to create roles in Postgres when groups are retrieved from Ranger. | false, true | true |
| POSTGRES_MANAGE_ROLES | Use this property to create roles in Postgres when they are retrieved from Ranger. | false, true | true |
| POSTGRES_GRANT_UPDATES | This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Postgres. |
false, true | true |
| POSTGRES_GRANT_UPDATES_MAX_RETRY_ATTEMPTS | This property is used to set maximum retry attempts to be made for granting or revoking the access if any failure is due to database connection errors. |
2 | |
| POSTGRES_ENABLE_DATA_ADMIN | This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well. |
false, true | true |
| POSTGRES_ENABLE_MIGRATION | This property can be used to migrate old properties of Postgres PolicySync to the new ones. It includes cleaning up of native row filters policies created by the old properties, since the new properties will be creating it again with its own format of naming. |
false, true | true |
| POSTGRES_ENTITY_ROLE_PREFIX | |||
| POSTGRES_USER_ROLE_PREFIX | This propery is used to set a role prefix for users in Postgres when they are retrieved from Ranger. For example, if john is a user in Ranger and you have defined prefix as test_user_, then test_user_john is the role that will be created for john in Postgres. | priv_user_ | |
| POSTGRES_GROUP_ROLE_PREFIX | This propery is used to set a role prefix for groups in Postgres when they are retrieved from Ranger. For example, if dev is a group in Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Postgres. | priv_group_ | |
| POSTGRES_ROLE_ROLE_PREFIX | This propery is used to set a role prefix for roles in Postgres when they are retrieved from Ranger. For example, if finance is a role in Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Postgres. | priv_role_ | |
| POSTGRES_USE_NATIVE_PUBLIC_GROUP | Set this property to true, if you want PolicySync to use Postgres' native Public group for access grants. It will be used whenever a policy is created with the Public group selected. | false, true | true |
| POSTGRES_ENABLE_ROW_FILTER | Set this property to true, if you want to enable native row filter functionality. It is not recommened to be used, since the native row filters can only be created on tables, they can't be created on views. | false, true | false |
| POSTGRES_MASKED_NUMBER_VALUE | This property is used to specify the default masking value for numeric columns. |
0 | |
| POSTGRES_MASKED_DOUBLE_VALUE | |||
| POSTGRES_MASKED_DOUBLE_VALUE | |||
| POSTGRES_MASKED_TEXT_VALUE | This property is used to specify the default masking value for text/string columns. |
'<MASKED>' | |
| POSTGRES_ENABLE_VIEW_BASED_ROW_FILTER | Set this property to true, if you want to enable secure view-based row filter in Postgres PolicySync. Note:- Postgres supports native row filters, but due to some limitations, it is recommended to use view-based row filter. |
false, true | true |
| POSTGRES_ENABLE_VIEW_BASED_MASKING | Set this property to true, if you want to enable secure view-based masking in Postgres PolicySync. Note:- Postgres does not support native masking. It is recommended to use view-based masking. |
false, true | true |
| POSTGRES_SECURE_VIEW_SCHEMA_NAME | |||
| POSTGRES_SECURE_VIEW_SCHEMA_NAME_PREFIX | By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} For {view_schema_name}, refer to POSTGRES_SECURE_VIEW_SCHEMA_NAME property. |
||
| POSTGRES_SECURE_VIEW_SCHEMA_NAME_POSTFIX | By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} For {view_schema_name}, refer to POSTGRES_SECURE_VIEW_SCHEMA_NAME property. |
||
| POSTGRES_SECURE_VIEW_NAME_PREFIX | By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix} | ||
| POSTGRES_SECURE_VIEW_NAME_POSTFIX | By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, set this field to the required string. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix} | _secure | |
| POSTGRES_SECURE_VIEW_CREATE_FOR_ALL | Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Ranger. |
false, true | true |
| POSTGRES_AUDIT_ENABLE | This property is used to enable retrieving access audits from Postgres. |
false, true | false |
| POSTGRES_AUDIT_EXCLUDED_USERS | This property is used to set the list of users whose access audits you want to ignore. Set a list of comma-separated users. |
POSTGRES_JDBC_USERNAME | |
| POSTGRES_AUDIT_SOURCE | This property is used to set the mode through which we should be loading access audits. Access audits for AWS RDS Postgres only support SQS mode. It retrieves audits from the SQS queue. |
sqs | |
| POSTGRES_AWS_ACCESS_KEY | This property is used to set the AWS access key. It will be used to create an IAM client to access the SQS queue to get access audits. This should be used only if your deployment machine doesn't have an IAM role associated with it. |
||
| POSTGRES_AWS_SECRET_KEY | This property is used to set the AWS secret key. It will be used to create an IAM client to access the SQS queue to get access audits. This should be used only if your deployment machine doesn't have an IAM role associated with it. |
||
| POSTGRES_AWS_REGION | This property is used to set the AWS region where the SQS queue is stored. |
us-east-1 | |
| POSTGRES_AWS_SQS_QUEUE_ENDPOINT | This property is used to set SQS endpoint URL. Set it if you use private VPC in your AWS account which doesn't have access to the internet. So you need to set a private endpoint here. |
||
| POSTGRES_AWS_SQS_QUEUE_NAME | This property is used to set the AWS SQS queue name from which you get access audits. |
||
| POSTGRES_AWS_SQS_QUEUE_MAX_POLL_MESSAGES | This property is used to set the number of messages to be retrieved from the SQS queue at one time and should be processed for auditing purposes. |
100 | |
| POSTGRES_AUDIT_SQS_QUEUE_REGION | |||
| POSTGRES_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t and then your secure schema name will be {schema_prefix}some_schema{schema_postfix}. Enter a suffix string or a comma-separated list of suffix strings. |
_t,_v |
|
| POSTGRES_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table and then your secure name will be {prefix}some_name{postfix}. Enter a suffix string or a comma-separated list of suffix strings. |
_view,_table |
|
|
POSTGRES_USER_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the POSTGRES_USER_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
POSTGRES_USER_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by the regex specified in the POSTGRES_USER_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
|
POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the POSTGRES_GROUP_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
POSTGRES_GROUP_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
|
POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the POSTGRES_ROLE_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
POSTGRES_ROLE_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
| POSTGRES_USER_NAME_PERSIST_CASE_SENSITIVITY |
After loading users using Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| POSTGRES_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
After loading groups using Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| POSTGRES_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
After loading roles using Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| POSTGRES_CREATE_USER | Use this property to create users in Postgres when they are retrieved from Ranger. | false, true | false |
| POSTGRES_CREATE_USER_ROLE | Use this property to create user role in Postgres when they are retrieved from Ranger. | false, true | true |
Redshift Connector#
| Property | Description | Values | Default Value |
|---|---|---|---|
| REDSHIFT_ENABLE | Property to enable/disable the old properties of Redshift. | ||
| REDSHIFT_V2_ENABLE | Property to enable/disable the new properties of Redshift. | true | |
| REDSHIFT_SERVICE_TYPE | |||
| REDSHIFT_CONNECTOR_NAME | |||
| REDSHIFT_MASTER_DB |
Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
| REDSHIFT_MANAGE_ENV_PREFIX | Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
| REDSHIFT_OWNER_ROLE |
Use this property to set the owner for all the resources managed by PolicySync. The specified role will become owner for all managed resources. Privacera supports changing owners of database, schema, tables and views. Note: If owner role is kept blank, then the user who creates the table/view or any object, they will become the owner of those object. This will not allow PolicySync to perform access control. |
||
| REDSHIFT_LOAD_RESOURCES_KEY | This property controls which method to be used to load resources from Snowflake. |
|
load_from_database_columns |
| REDSHIFT_RESOURCE_SYNC_INTERVAL | This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Redshift after checking whether any new resource has been created or any changes are made in the existing resource. | 60 | |
| REDSHIFT_PRINCIPAL_SYNC_INTERVAL | This property is used to set the interval in seconds for pricipal sync process. Principal sync is the process where the user/group/roles are loaded from the Redshift after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal. | 420 | |
| REDSHIFT_PERMISSION_SYNC_INTERVAL | This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Redshift, and then validates it with Ranger policies. If any difference is found, then required grants/revokes are triggered. | 540 | |
| REDSHIFT_AUDIT_SYNC_INTERVAL | This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Redshift. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal. | 30 | |
| REDSHIFT_MANAGE_DATABASE_LIST |
Add the database names to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
testdb1,testdb2,sales_db* | |
| REDSHIFT_MANAGE_SCHEMA_LIST |
Add the database schemas to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
customer.customer_schema1,customer.customer_schema2 or customer.* |
REDSHIFT_MANAGE_TABLE_LIST |
Add the database tables to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
customer.customer_schema1.table1,customer.customer_schema2.table2 or customer.customer_schema.* |
REDSHIFT_MANAGE_VIEW_LIST | Add the database views to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{view_name} If the value is kept blank, then all views will be managed. If the value is none, then no views will be managed.If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.Use comma-separated values to enter multiple views. Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
customer.customer_schema1.view1,customer.customer_schema2.view2 or customer.customer_schema.* |
| REDSHIFT_IGNORE_ENV_PREFIX | Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
| REDSHIFT_IGNORE_DATABASE_LIST | This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedance over manage database list. | testdb1,testdb2,sales_db* | |
| REDSHIFT_IGNORE_SCHEMA_LIST | This property is used to set comma-separated database schemas on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any schemas. It supports wildcards. This has precedance over manage schema list. | testdb1.schema1,testdb2.schema2,sales_db*.sales* | |
| REDSHIFT_IGNORE_TABLE_LIST | This property is used to set comma-separated database table/view on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedance over manage table list. | testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.* | |
| REDSHIFT_MANAGE_USER_LIST | This property is used to set comma-separated user names on which you want access control to be managed by PolicySync. To manage all the users:
It supports wildcards. The ignore users list has precedance over manage users list. |
user1,user2,dev_user* | |
| REDSHIFT_MANAGE_GROUP_LIST | This property is used to set comma-separated group names on which you want access control to be managed by PolicySync. To manage all the groups:
It supports wildcards. The ignore group list has precedance over manage group list. |
group1,group2,dev_group* | |
| REDSHIFT_MANAGE_ROLE_LIST | This property is used to set comma-separated role names on which you want access control to be managed by PolicySync. To manage all the roles:
It supports wildcards. The ignore role list has precedance over manage role list. |
role1,role2,dev_role* | |
| REDSHIFT_MANAGE_USER_FILTERBY_GROUP | Policysync will manage users specified in REDSHIFT_MANAGE_USER_LIST property only if they are associated with any group specified in REDSHIFT_MANAGE_GROUP_LIST | true, false | false |
| REDSHIFT_MANAGE_USER_FILTERBY_ROLE | Policy-sync will manage users specified in REDSHIFT_MANAGE_USER_LIST prop only if they are associated with any role specified in REDSHIFT_MANAGE_ROLE_LIST | true, false | false |
| REDSHIFT_IGNORE_USER_LIST | This property is used to set comma-separated usernames on which you do not want access control to be managed by PolicySync. To manage all the users, do not define the property. It supports wildcards. This has precedance over manage user list. |
user1,user2,dev_user* | |
| REDSHIFT_IGNORE_GROUP_LIST | This property is used to set comma-separated group names on which you do not want access control to be managed by PolicySync. To manage all the groups, do not define the property. It supports wildcards. This has precedance over manage group list. |
group1,group2,dev_group* | |
| REDSHIFT_IGNORE_ROLE_LIST | This property is used to set comma-separated role names on which you do not want access control to be managed by PolicySync. To manage all the roles, do not define the property. It supports wildcards. This has precedance over manage role list. |
role1,role2,dev_role* | |
| REDSHIFT_MANAGE_ENTITIES | |||
| REDSHIFT_MANAGE_USERS | Use this property to manage the membership between user and user role. | false, true | true |
| REDSHIFT_MANAGE_GROUPS | Use this property to create roles in Redshift when groups are retrieved from Ranger. | false, true | true |
| REDSHIFT_MANAGE_ROLES | Use this property to create roles in Redshift when they are retrieved from Ranger. | false, true | true |
| REDSHIFT_GRANT_UPDATES | This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Redshift. |
false, true | true |
| REDSHIFT_GRANT_UPDATES_MAX_RETRY_ATTEMPTS | This property is used to set maximum retry attempts to be made for granting or revoking the access if any failure is due to database connection errors. |
2 | |
| REDSHIFT_ENABLE_DATA_ADMIN | This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well. |
false, true | true |
| REDSHIFT_ENTITY_ROLE_PREFIX | |||
| REDSHIFT_USER_ROLE_PREFIX | This propery is used to set a role prefix for users in Redshift when they are retrieved from Ranger. For example, if john is a user in Ranger and you have defined prefix as test_user_, then test_user_john is the role that will be created for john in Redshift. | priv_user_ | |
| REDSHIFT_GROUP_ROLE_PREFIX | This propery is used to set a role prefix for groups in Redshift when they are retrieved from Ranger. For example, if dev is a group in Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Redshift. | priv_group_ | |
| REDSHIFT_ROLE_ROLE_PREFIX | This propery is used to set a role prefix for roles in Redshift when they are retrieved from Ranger. For example, if finance is a role in Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Redshift. | priv_role_ | |
| REDSHIFT_USE_NATIVE_PUBLIC_GROUP | Set this property to true, if you want PolicySync to use Redshift' native Public group for access grants. It will be used whenever a policy is created with the Public group selected. | false, true | true |
| REDSHIFT_ENABLE_ROW_FILTER | Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
| REDSHIFT_MASKED_NUMBER_VALUE | This property is used to specify the default masking value for numeric columns. |
0 | |
| REDSHIFT_MASKED_DOUBLE_VALUE | Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
| REDSHIFT_MASKED_DATE_VALUE | Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
| REDSHIFT_MASKED_TEXT_VALUE | This property is used to specify the default masking value for text/string columns. |
'<MASKED>' | |
| REDSHIFT_ENABLE_VIEW_BASED_ROW_FILTER | Set this property to true, if you want to enable secure view-based row filter in Redshift PolicySync. Note:- Redshift supports native row filters, but due to some limitations, it is recommended to use view-based row filter. |
true, false | true |
| REDSHIFT_ENABLE_VIEW_BASED_MASKING | Set this property to true, if you want to enable secure view-based masking in Redshift PolicySync. Note:- Redshift does not support native masking. It is recommended to use view-based masking. |
true. false | true |
| REDSHIFT_SECURE_VIEW_SCHEMA_NAME | By default, view-based row filter and masking related secure views are created in the same schema as the original table schema. You can use the property if you want to keep these secure views in a separate schema by providing a schema name in this property. Note: This property can be used only when REDSHIFT_ENABLE property is enabled. |
||
|
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX |
By default, view-based row filter and masking related secure views have the same schema name as the table schema name. If you want to change the prefix and postfix of the secure view schema name, use these properties. After prefix and postfix is specified, the view schema name will be in this format : {prefix}{view_schema_name}{postfix} For {view_schema_name} refer to variable REDSHIFT_SECURE_VIEW_SCHEMA_NAME |
||
|
REDSHIFT_SECURE_VIEW_NAME_PREFIX REDSHIFT_SECURE_VIEW_NAME_POSTFIX |
By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix} |
||
| REDSHIFT_SECURE_VIEW_CREATE_FOR_ALL | Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Ranger. |
true, false | false |
| REDSHIFT_AUDIT_ENABLE | This property is used to enable retrieving access audits from Redshift. |
false, true | false |
| REDSHIFT_AUDIT_EXCLUDED_USERS | This property is used to set the list of users whose access audits you want to ignore. Set a list of comma-separated users. |
REDSHIFT_JDBC_USERNAME | |
| REDSHIFT_AUDIT_INITIAL_PULL_MINUTES | When the audits are enabled for the first time, the value will decide the number of minutes you need to pull the access audits from the database, default value is 30 mins. |
30 | |
| REDSHIFT_SECURE_VIEW_SCHEMA_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema name is some_name_t, you can remove the suffix, _t. Enter a suffix string or a comma-separated list of suffix strings. |
_t,_v |
|
| REDSHIFT_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. Enter a suffix string or a comma-separated list of suffix strings. |
_view,_table |
|
|
REDSHIFT_USER_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the REDSHIFT_USER_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
REDSHIFT_USER_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by the regex specified in the REDSHIFT_USER_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
|
REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the REDSHIFT_GROUP_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
REDSHIFT_GROUP_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
|
REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the REDSHIFT_ROLE_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
REDSHIFT_ROLE_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
| REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY |
After loading users using Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
After loading groups using Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
After loading roles using Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| REDSHIFT_CREATE_USER | Use this property to create users in Redshift when they are retrieved from Ranger. | false, true | true |
| REDSHIFT_CREATE_USER_ROLE | Use this property to create user role in Redshift when they are retrieved from Ranger. | false, true | true |
Databricks SQL#
| Property | Description | Values | Default Value |
|---|---|---|---|
| DATABRICKS_SQL_ANALYTICS_ENABLE | Property to enable/disable the old properties of Databricks SQL Analytics. | true, false | true |
| DATABRICKS_SQL_ANALYTICS_V2_ENABLE | Property to enable/disable the new properties of Databricks SQL Analytics. | true, false | false |
| DATABRICKS_SQL_ANALYTICS_SERVICE_TYPE | databricks_sql_analytics | ||
| DATABRICKS_SQL_ANALYTICS_CONNECTOR_NAME | DatabricksSQLAnalytics | ||
| DATABRICKS_SQL_ANALYTICS_JDBC_URL | This property used to set JDBC url which can be used to connect to Databricks SQL endpoint. |
||
| DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME | This property used to set jdbc Username to be used to make connection to Databricks SQL endpoint. This is just an email used to log in to Databricks to manage the SQL endpoint. (ex. john.doe@privacera.com) | ||
| DATABRICKS_SQL_ANALYTICS_JDBC_PASSWORD | This is a personal access token used to access the Databricks SQL endpoint, that is created in Databricks by going to SQL endpoints > Create a personal access token. It should look like this: dapi71f8493xxxxx47d09e17a10ba8d53 | ||
| DATABRICKS_SQL_ANALYTICS_JDBC_DB | This property used to set JDBC database to be used to make initial connection to Databricks SQL endpoint. | privacera_db | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_ENV_PREFIX | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_OWNER_ROLE |
Use this property to set the owner for all the resources managed by PolicySync. The specified user will become owner for all managed resources and will have full control over all the resources. Privacera supports changing owners of database, tables and views. Note: If owner role is kept blank, then the user who creates the table/view or any object, they will become the owner of those object. This will not allow PolicySync to perform access control. |
||
| DATABRICKS_SQL_ANALYTICS_HOST_URL |
This property is used to make a call to SQL analytics API for users/groups/audits. It should be the base URL of Databricks, for example https://db1.cloud.databricks.com/ |
||
| DATABRICKS_SQL_ANALYTICS_LOAD_RESOURCES_KEY | This property controls which method to be used to load resources from Databricks SQL. It should be not be changed - Databricks only supports the value load as a method for loading resources. |
|
load |
| DATABRICKS_SQL_ANALYTICS_RESOURCE_SYNC_INTERVAL | This property is used to set the interval in seconds for resource sync process. Resource sync is the process where resources are loaded from the Databricks SQL after checking whether any new resource has been created or any changes are made in the existing resource. | 60 | |
| DATABRICKS_SQL_ANALYTICS_PRINCIPAL_SYNC_INTERVAL | This property is used to set the interval in seconds for pricipal sync process. Principal sync is the process where the user/group/roles are loaded from the Databricks SQL after checking what all users/groups/roles have been created and membership between them, and then validates these with what is defined in the Audits page of the Privacera Portal. | 420 | |
| DATABRICKS_SQL_ANALYTICS_PERMISSION_SYNC_INTERVAL | This property is used to set the interval in seconds for existing policies sync process. Existing policies sync is the process where permissions or policies are loaded which are already synced to Databricks SQL, and then validates it with Ranger policies. If any difference is found, then required grants/revokes are triggered. | 540 | |
| DATABRICKS_SQL_ANALYTICS_AUDIT_SYNC_INTERVAL | This property is used to set the interval in seconds for the access audits process. Access audits process is the process where the access audits are retrieved from Databricks SQL. The audits are pushed to Solr to display them on the Audits page of the Privacera Portal. | 30 | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST |
Add the database names to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
testdb1,testdb2,sales_db* | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_TABLE_LIST |
Add the database tables to be managed by PolicySync.
It supports wildcards. The ignore database list has precedance over manage database list. |
customer.customer_schema1.table1,customer.customer_schema2.table2 or customer.customer_schema.* |
|
| DATABRICKS_SQL_ANALYTICS_MANAGE_VIEW_LIST | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. Add the database views to be managed by PolicySync. Enter the value for the property in the following: {database_name}.{schema_name}.{view_name} If the value is kept blank, then all views will be managed. If the value is none, then no views will be managed.If the value is specified as {database_name}.{schema_name}.*, then all views will be managed.Use comma-separated values to enter multiple views. Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
customer.customer_schema1.view1,customer.customer_schema2.view2 or customer.customer_schema.* |
|
| DATABRICKS_SQL_ANALYTICS_IGNORE_ENV_PREFIX | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_IGNORE_DATABASE_LIST | This property is used to set comma-separated database names on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any database. It supports wildcards. This has precedance over manage database list. | testdb1,testdb2,sales_db* | |
| DATABRICKS_SQL_ANALYTICS_IGNORE_TABLE_LIST | This property is used to set comma-separated database table/view on which you do not want access control to be managed by PolicySync. Keep the value blank, if you do not want to ignore any tables/views. It supports wildcards. This has precedance over manage table list. | testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.* | |
| DATABRICKS_SQL_ANALYTICS_IGNORE_VIEW_LIST | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_DEFAULT_USER_PASSWORD | |||
| DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITY_PREFIX | |||
| DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST | This property is used to set comma-separated user names on which you want access control to be managed by PolicySync. To manage all the users:
It supports wildcards. The ignore users list has precedance over manage users list. |
user1,user2,dev_user* | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST | This property is used to set comma-separated group names on which you want access control to be managed by PolicySync. To manage all the groups:
It supports wildcards. The ignore group list has precedance over manage group list. |
group1,group2,dev_group* | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST | This property is used to set comma-separated role names on which you want access control to be managed by PolicySync. To manage all the roles:
It supports wildcards. The ignore role list has precedance over manage role list. |
role1,role2,dev_role* | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP | Policysync will manage users specified in DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST property only if they are associated with any group specified in DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST | true, false | false |
| DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_ROLE | Policy-sync will manage users specified in DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST prop only if they are associated with any role specified in DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST | true, false | false |
| DATABRICKS_SQL_ANALYTICS_IGNORE_ENTITY_PREFIX | |||
| DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST | This property is used to set comma-separated usernames on which you do not want access control to be managed by PolicySync. To manage all the users, do not define the property. It supports wildcards. This has precedance over manage user list. |
user1,user2,dev_user* | |
| DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST | This property is used to set comma-separated group names on which you do not want access control to be managed by PolicySync. To manage all the groups, do not define the property. It supports wildcards. This has precedance over manage group list. |
group1,group2,dev_group* | |
| DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST | This property is used to set comma-separated role names on which you do not want access control to be managed by PolicySync. To manage all the roles, do not define the property. It supports wildcards. This has precedance over manage role list. |
role1,role2,dev_role* | |
| DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITIES | |||
| DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS | Use this property to create roles in Redshift when groups are retrieved from Ranger. | false, true | true |
| DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES | Use this property to create roles in Redshift when they are retrieved from Ranger. | false, true | true |
| DATABRICKS_SQL_ANALYTICS_GRANT_UPDATES | This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Databricks SQL. |
false, true | true |
| DATABRICKS_SQL_ANALYTICS_ENABLE_DATA_ADMIN | This property is used to enable the data admin feature. With data admin feature enabled, you can create all the policies on table/native view and by default respective grants will be made on the secure view of a table or native view. As a result, this secure view will have row filter and masking capability. If you need permission on the table, then you can select the permission you want and data admin in the policy, In this case, that permission will be granted on both, the table/native view and its secure view as well. |
false, true | true |
| DATABRICKS_SQL_ANALYTICS_USE_HIVE_ACCESS_POLICIES |
Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. Use privacera_hive service instead of privacera_databricks_sql_analytics. After setting the PM property the policysync will start syncing the policies from privacera_hive and the only highlight will be the deny and execulde from allow/deny will not work as expected. Because the policysync only support Allow condition for now. |
false, true | true |
| DATABRICKS_SQL_ANALYTICS_ENTITY_ROLE_PREFIX | priv_ | ||
| DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX | This propery is used to set a role prefix for groups in Databricks SQL when they are retrieved from Ranger. For example, if dev is a group in Ranger and you have defined prefix as test_group_, then test_group_dev is the role that will be created for dev in Databricks SQL. | priv_group_ | |
| DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX | This propery is used to set a role prefix for roles in Databricks SQL when they are retrieved from Ranger. For example, if finance is a role in Ranger and you have defined prefix as test_role_, then test_role_finance is the role that will be created for finance in Databricks SQL. | priv_role_ | |
| DATABRICKS_SQL_ANALYTICS_USE_NATIVE_PUBLIC_GROUP | Set this property to true, if you want PolicySync to use Databricks SQL's native Public group for access grants. It will be used whenever a policy is created with the Public group selected. | false, true | true |
| DATABRICKS_SQL_ANALYTICS_MASKED_NUMBER_VALUE | This property is used to specify the default masking value for numeric columns. |
0 | |
| DATABRICKS_SQL_ANALYTICS_MASKED_DOUBLE_VALUE | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_MASKED_DATE_VALUE | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER | Set this property to true, if you want to enable secure view-based row filter in Databricks SQL PolicySync. Note:- Databricks SQL supports native row filters, but due to some limitations, it is recommended to use view-based row filter. |
true, false | true |
| DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING | Set this property to true, if you want to enable secure view-based masking in Databricks SQL PolicySync. Note:- Databricks SQL does not support native masking. It is recommended to use view-based masking. |
true. false | true |
| DATABRICKS_SQL_ANALYTICS_SECURE_DATABASE_NAME | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_DATABASE_NAME_PREFIX | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_DATABASE_NAME_POSTFIX | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX |
By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix} |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_POSTFIX |
By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix} |
_secure | |
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX |
By default, view-based row filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{table_name}{postfix} |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_PREFIX |
By default, view-based row filter and masking related secure views have the same name as the table database name. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{view_database_name}{postfix} |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_POSTFIX |
By default, view-based row filter and masking related secure views have the same name as the table database name. If you want to change the prefix and postfix of the secure view name, use these properties. After prefix and postfix is specified, the view name will be in this format : {prefix}{view_database_name}{postfix} |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. and then your secure name will be {prefix}some_name{postfix} Enter a suffix string or a comma-separated list of suffix strings. |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_REMOVE_SUFFIX_LIST |
You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema is some_name_schema, you can remove the suffix, _schema. and then your secure schema name will be {schema_prefix}some_schema{schema_postfix} Enter a suffix string or a comma-separated list of suffix strings. |
||
| DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_CREATE_FOR_ALL | Set this property to true, if you want to create secure view for all tables and all views that were created by end-users. This will create a secure view for resources regardless of whether there is any masking or row filter policy that exists in Ranger. |
true, false | false |
| DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_MASKING | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
TRUE | |
| DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_EXCEPTION | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
FALSE | |
| DATABRICKS_SQL_ANALYTICS_ENABLE_COLUMN_ACCESS_EXCEPTION_FUNCTION | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
{database}.PUBLIC.ThrowColumnAccessException('{col}') | |
| DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_NUMBER_VALUE | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_DOUBLE_VALUE | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE | Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
||
| DATABRICKS_SQL_ANALYTICS_AUDIT_ENABLE | This property is used to enable retrieving access audits from Databricks SQL. |
false, true | true |
| DATABRICKS_SQL_ANALYTICS_AUDIT_INITIAL_PULL_MINUTES | When the audits are enabled for the first time, the value will decide the number of minutes you need to pull the access audits from the database, default value is 30 mins. |
30 | |
|
DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the username and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by the regex specified in the DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
|
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
|
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX |
This takes the regular expression as input and finds the matching characters in the role name and replaces them with the characters specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING variable. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
|
DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING |
The value specified in this variable is used to replace the characters found by regex specified in the DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX variable. If kept blank, no find and replace operation is performed. The default value is an underscore (_). |
_ | |
| DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY |
After loading users using Ranger API, the usernames are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY |
After loading groups using Ranger API, the group names are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY |
After loading roles using Ranger API, the role names are converted into lowercase. However, you may want to retain case same as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger. |
false, true | false |
| DATABRICKS_SQL_ANALYTICS_CREATE_USER | Use this property to create users in Databricks SQL when they are retrieved from Ranger. | false, true | false |
|
DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_ACCESS_BY_TABLE |
The value of this variable should be set to true if you want to apply grants on secure views by using the table policy itself. Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
true, false | true |
| DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE | Specify the text value to be displayed in columns of secure view (columns which don't have Select permission) when column-level access control is applied on the table. For example, DATABRICKS_SQL_ANALYTICS_COLUMN_ACCESS_CONTROL_TEXT_VALUE: "'# REDACTED #'"
Note: This property can be used only when DATABRICKS_SQL_ANALYTICS_ENABLE property is enabled. |
'# REDACTED #' |
|
| DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE | Specify the text value to be displayed in columns of secure view (columns which has masking policies) when column masking is applied on table. For example, DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE: "'<MASKED>'" |
'<MASKED>' |
Google BigQuery Connector#
| Property | Description | Values | Default Value |
|---|---|---|---|
| BIGQUERY_LOAD_RESOURCES_KEY | This property controls which method to be used to load resources from BigQuery. |
|
load_from_dataset_columns |
| BIGQUERY_RESOURCE_SYNC_INTERVAL | This property is used to set the interval in seconds for the resource sync process. Resource sync is the process where we load the resources from BigQuery to check whether any new resource has been created or there is any change in the existing resource. This process happens in the defined interval time. | 60 | |
| BIGQUERY_PRINCIPAL_SYNC_INTERVAL | This property is used to set the interval in seconds for principal sync process. Principal sync is the process where we load the user/group/roles from BigQuery to check which users/groups/roles are created and membership between them. This process happens in the defined interval time. |
420 | |
| BIGQUERY_PERMISSION_SYNC_INTERVAL | This property is used to set the interval in seconds for syncing the existing policies sync. Existing policies are synced where we load the permissions or policies which are already synced to BigQuery, and then validate it with Ranger policies. If differences are found, then required grants/revokes are triggered. This process happens in the defined interval time. |
540 | |
| BIGQUERY_AUDIT_SYNC_INTERVAL | This property is used to set the interval in seconds for getting the access audits. Access audits are retrieved from the BigQuery and then pushed to Solr, so they can be displayed on Privacera Access Audit Page. This process happens in the defined interval time. |
30 | |
| BIGQUERY_IGNORE_PROJECT_LIST | This property is used to set comma-separated project names which you don't want access control to be managed by PolicySync. If you don't want to ignore any project then keep the value blank. It supports wildcards. This has precedence over the managed project list. For example, testproject1,testproject2,sales_project* > |
||
| BIGQUERY_USER_NAME_REPLACE_FROM_REGEX | This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
| BIGQUERY_USER_NAME_REPLACE_TO_STRING | The value specified in this property is used to replace the characters found by the regex specified in the user name regex property. If kept blank, no find and replace operation is performed. |
_ | |
| BIGQUERY_GROUP_NAME_REPLACE_FROM_REGEX | This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
| BIGQUERY_GROUP_NAME_REPLACE_TO_STRING | The value specified in this property is used to replace the characters found by the regex specified in the group name regex property. If kept blank, no find and replace operation is performed. |
_ | |
| BIGQUERY_ROLE_NAME_REPLACE_FROM_REGEX | This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in the property. If kept blank, no find and replace operation is performed. |
[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] | |
| BIGQUERY_ROLE_NAME_REPLACE_TO_STRING | The value specified in this property is used to replace the characters found by the regex specified in the role name regex property. If kept blank, no find and replace operation is performed. |
_ | |
| BIGQUERY_NATIVE_PUBLIC_GROUP_IDENTITY_NAME | The value specified in this property is used to replace the characters found by the regex specified in the role name regex property. If kept blank, no find and replace operation is performed. |
|
|
| BIGQUERY_MANAGE_USER_FILTERBY_ROLE | Set this property to true, if you want to manage only the users who belong to the roles defined in manage roles list property. |
true, false | false |
| BIGQUERY_POLICY_NAME_SEPARATOR | This property is used to set separator, which will be used while creating a name for native row filter policy. |
_ | |
| BIGQUERY_ROW_FILTER_POLICY_NAME_TEMPLATE | This property is used as a template to create native row filter policy names. For example, multiple native row filters added on the table will look like row_filter_item_1, row_filter_item_2, etc. |
row_filter_item_ | |
| BIGQUERY_SECURE_VIEW_CREATE_FOR_ALL | Set this property to true, if you want to create a secure view for all tables and all views created by users. This will create a secure view for resources regardless of whether there is any masking/row filter policy that exists in Ranger. |
true, false | true |
| BIGQUERY_MASKING_FUNCTIONS_DATASET | This property is used to set the name of the dataset in the GCP project to create custom masking functions required by PolicySync. |
privacera_dataset | |
| BIGQUERY_MASKED_NUMBER_VALUE | This property is used to specify the default masking value for numeric columns. |
0 | |
| BIGQUERY_MASKED_TEXT_VALUE | This property is used to specify the default masking value for text/string columns. |
'<MASKED>' | |
| BIGQUERY_SECURE_VIEW_NAME_PREFIX | By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix} |
||
| BIGQUERY_SECURE_VIEW_NAME_POSTFIX | By default, view-based row filter and masking-related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix} |
||
| BIGQUERY_SECURE_VIEW_DATASET_NAME_PREFIX | By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} |
||
| BIGQUERY_SECURE_VIEW_DATASET_NAME_POSTFIX | By default view-based row filter and masking-related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} |
_secure | |
| BIGQUERY_SECURE_VIEW_NAME_REMOVE_SUFFIX_LIST | You can remove any unwanted suffix attached at the end of a table/view name. For example, if the table name is some_name_table, you can remove the suffix, _table. and then your secure name will be {prefix}some_name{postfix} Enter a suffix string or a comma-separated list of suffix strings. |
||
| BIGQUERY_SECURE_VIEW_DATASET_NAME_REMOVE_SUFFIX_LIST | You can remove any unwanted suffix attached at the end of a schema name. For example, if the schema is some_name_schema, you can remove the suffix, _schema. and then your secure schema name will be {schema_prefix}some_schema{schema_postfix} Enter a suffix string or a comma-separated list of suffix strings. /td> | ||
| BIGQUERY_ENABLE_AUTHORIZED_VIEW_ACL_UPDATER | This property is used to enable asynchronized authorized view ACLs updater, it updates the dataset ACLs with authorized secure view names, This is done periodically by batching the requests for one or more views. |
true, false | true |
| BIGQUERY_AUTHORIZED_VIEW_ACL_UPDATER_INTERVAL | This property is used to set a time interval in which the authorized view ACL's updater thread can update authorized view ACLs permissions in the dataset if any permissions are pending to be applied. |
10 | |
| BIGQUERY_GRANT_UPDATES | This property controls whether actual grant/revoke should be run on BigQuery. |
true, false | true |
| BIGQUERY_GRANT_UPDATES_MAX_RETRY_ATTEMPTS | This property is used to set max retry attempts to be made for granting or revoking the access if there is any failure due to database connection errors. |
2 | |
| BIGQUERY_GRANT_UPDATES_BATCH | This property enables the batching of applying grants/revokes to the BigQuery. This improves overall performance when applying any permission changes on the BigQuery. |
true, false | true |
| BIGQUERY_ENABLE_DATA_ADMIN | This property is used to enable data admin feature. It allows you to create all the policies on table/native view. By default, respective grants will be made on secure view of table or native view. This secure view will have row filter and masking capability. If you need permissions on the table, then you can select the permissions you want along with the dataadmin in the policy. The permissions will be granted on both, the table/native view and its secure view. |
true, false | true |
| BIGQUERY_AUDIT_ENABLE | This property is used to enable retrieving access audits from BigQuery. |
true, false | false |
| BIGQUERY_AUDIT_EXCLUDED_USERS | This property is used to set the list of users whose access audits you want to ignore. It takes a list of comma-separated email addresses of the users. |
BIGQUERY_OAUTH_SERVICE_ACCOUNT_EMAIL | |
| BIGQUERY_AUDIT_PROJECT_ID | This property is used to set the project ID. It will be used when running the query to retrieve the audits from BigQuery. |
||
| BIGQUERY_AUDIT_DATASET_NAME | This property is used to set the dataset name. It will be used when running the query to get the audits from BigQuery. |