Privacera Platform master publication

User/Groups/Roles

:

Concepts in Access Management

For conceptual background, see How Access Management Works.

Manage data access for users, groups, and roles.

Users

Data access users are identified in the creation and definition of Resource Policies. Users may be included or excluded specifically or in groups.

  • User Source value reflects the method of their creation or import (source).

    • Internal users - created within your Access Management account. Administrative users are Users: 'admin', 'rangerusersync', 'keyadmin', 'rangertagsync', and '{OWNER}' are created by the system.

    • External users:

      • A data access user with the same username as the first 'Administrator'/ Portal user;

      • A 'service' user for each data resource service (e.g. 'hive', 's3', ...);

      • Users imported User Sync with an LDAP or Active Directory.

  • Visibility indicates if a user is listed when creating or editing a Policy in Access Management: Resource Policies. If a user is Visible, they will be found and selectable under "Select User" column. If a user is Hidden, they will not be selectable. This is useful when your account has been synchronized with a user directory with a large number of users. Visibility may be set by selecting a user object row (on the left side of the table, and using the 'Visibility' action (between +Add and Delete).

  • User Role here is one of ('User', 'Administrator', or 'Auditor'). Note that this user Role is different than the custom Roles defined in the User Management: Roles tab.

Use the Search control to limit displayed objects those matching a specific value. First select a column name, then a value. The table will be filtered to show only those objects that match the value. Users objects may be added, edited, or deleted.

Add Users
  1. From the home page, click Access Management > Users/Groups/Roles.

  2. Select the Users tab and click +Add. The Add User pop-up displays.

  3. Enter the user details.

  4. Click Save.

Add Discovery User for encryption service

To use encryption in the Compliance Workflow policies of the Discovery service, you need to add privacera_service_discovery user in the Users/Groups/Roles of Access Management.

  1. From the home page, click Settings > Users Management.

  2. In the Portal Users tab, on the User Management page, click the edit button next to the privacera_service_discovery user.

  3. On the Edit User page, click Save.

  4. After saving, verify if the privacera_service_discovery has been added. Go to Access Management > Users/Groups/Roles > USERS tab.

  5. Add the user in Schema Policies. See Add User in Default Policy.

  6. Add the user in Ranger KMS. See Set User Access for Encryption Service.

Edit Users
  1. From the home page, click Access Management > Users/Groups/Roles.

  2. Under the Users tab, select the User and click the pen icon in the Actions column.

  3. Edit User dialog displays three tabs:

    • Basic Information

    • Change Password

    • Attributes

  4. In the Basic Information tab, you can modify the user details.

  5. In the Change Password tab, you can set new password.

    Note

    For external users, you can only edit the user role and password.

  6. In the Attributes tab, you can add new attributes, delete, or modify existing attributes. For more information about attributes, see Considerations for User or group attributes.

  7. Click Save.

Groups

Use groups to manage multiple users with similar data access needs. A user can belong to more than one group.

Add Groups
  1. From the home page, click Access Management > Users/Groups/Roles.

  2. Select the Groups tab and click +Add. The Add User pop-up displays.

  3. Enter the group details.

  4. Click Save.

Edit Groups

To edit the user, use the following steps:

  1. From the home page, click Access Management > Users/Groups/Roles.

  2. Select the Groups tab.

  3. Select the group and click the pen icon in Actions column.

    Edit Group dialog displays two tabs:

    • Basic Information

    • Attributes

  4. In the Basic Information tab, you can edit only a description.

  5. In the Attributes tab, you can add new attributes, delete, or modify existing attributes. For more information about attributes, see Considerations for User or group attributes.

  6. Click Save.

Roles

Assign roles to users based on job functions.

Add Roles
  1. From the home page, click Access Management > Users/Groups/Roles.

  2. Select the Roles tab and click +Add.

  3. Enter the role details and click Save.

Edit Roles
  1. From the home page, click Access Management > Users/Groups/Roles.

  2. Select the Roles tab.

  3. Select the role and click the pen icon in Actions column.

  4. Click Save.

Considerations for User or group attributes

Consider the following points when editing User or Group attributes:

  • Only Admin users have access to change the user attributes. Other users are unable to view or edit user attributes.

  • These modifications are limited to the Ranger DB and have no impact on the source.

  • Only the values can be changed. These values are considered as a single string (multiple comma-separate values cannot be added).

  • Internal UserSync attributes such as full_name, service_id, and sync_source cannot be changed or removed. If these internal UserSync attributes are added manually through the UI for an internal user, no further modification or deletion will be permitted.

  • When Ranger UserSync is restarted, the attributes from the source are overridden, but the custom attributes added from the UI are retained.

  • If a user exists in more than one location, such as LDAP and Azure, If you sync that user from both sources, the attributes will be merged, and if there are any common attributes, only the attribute value from the most recent source will be retained.

  • If an attribute is deleted from the source or UserSync, it will still be visible in the UI. If it is no longer required, you can delete it manually.