Skip to content

About Fine-Grained Access Control (FGAC)

Fine-Grained Access Control (FGAC) is an approach that restricts data access not just at the object level, but also at more granular levels: columns, rows, and even masking and encryption of specific fields. It ensures that users and services only see the data they are explicitly permitted to view, helping to address regulatory requirements and sensitive data protection.

Privacera's FGAC Designs

Privacera supports FGAC by integrating with the native capabilities of various platforms and services. Depending on what each service supports, Privacera chooses either Apache Ranger Plugins or PolicySync.

The key difference is that with Apache Ranger Plugins, policy enforcement is done within the query engine itself. With PolicySync, Privacera translates the policy to the target service’s native rules.

  1. Services Using Apache Ranger Plugins

    • Trino / Starburst Trino
    • Apache Hive
    • Databricks Cluster

    In these platforms, Privacera deploys an Apache Ranger-based plugin that intercepts queries at the engine level. Users attempting to access or manipulate data in these engines are subject to FGAC policies that enforce row-level filtering (RLF) and column masking rules.

    For more details you can read here about the Apache Ranger Plugin

  2. Services Using PolicySync

    • Snowflake
    • Redshift
    • Databricks Unity Catalog
    • AWS Lake Formation
    • Other Cloud Services (with structured policy support)

    Here, Privacera synchronizes FGAC policies from the Apache Ranger policy model into the native constructs of each platform. For instance, it may generate User-Defined Functions (UDFs) for masking columns in Snowflake, or utilize native row-filtering in AWS Lake Formation.

    For more details you can read here about the Privacera PolicySync

How FGAC Works

  1. Policy Definition: Administrators define which users, groups, or roles have access to specific rows and columns. Sensitive columns may be masked or obfuscated with custom logic.
  2. Policy Enforcement: When a user or service runs a query, Privacera intercepts the request (via Ranger Plugin) or has already applied the policy to the underlying service (via PolicySync). Only permitted data is returned.
  3. Auditing and Governance: All access attempts—granted or denied—are logged, allowing administrators to generate audit reports and maintain compliance.

Use Cases

Example 1: Row-Level Filtering in Trino

  • Scenario: A multi-tenant system storing data from different business units.
  • Implementation: Privacera’s Ranger Plugin for Trion enforces row-filtering rules so that each business unit can only see the rows relevant to them.
  • Benefit: Complies with internal data segregation policies and reduces risk of data leakage.

Example 2: Masking PII in Snowflake

  • Scenario: A data analyst runs queries on Snowflake, which stores customer PII.
  • Implementation: Privacera’s PolicySync engine translates FGAC policies to Snowflake’s native UDF-based masking rules, ensuring columns like SSNs are redacted or encrypted.
  • Benefit: Aligns with regulations to allow the analyst to see non-sensitive fields.

Example 3: Role-Based Access in Databricks Unity Catalog

  • Scenario: A large organization uses Databricks Unity Catalog in their Lakehouse architecture.
  • Implementation: Privacera PolicySync automatically creates row level policies in Unity Catalog, restricting certain rows are visible to specific roles or groups (E.g. marketing vs. finance team).
  • Benefit: Offers a single pane of policy management while leveraging Unity Catalog’s native data governance features.

Advantages

  1. Granular Data Protection: FGAC narrows access to only necessary fields, reducing exposure of sensitive data.
  2. Regulatory Compliance: Meets data privacy requirements (GDPR, HIPAA, CCPA) by masking or filtering out PII.
  3. Unified Policy Management: Administrators manage FGAC policies centrally, even if actual enforcement happens differently across services.
  4. Reduced Over-privilege: Minimizes risk by preventing users from seeing irrelevant or confidential information.

Why Manage FGAC Policies with Privacera

Using Privacera to manage FGAC policies centralizes and simplifies governance across multiple data services. Here are the key benefits:

  1. Unified Policy Console: Administrators can define and maintain FGAC policies in one place, even if those policies are ultimately enforced differently across Apache Hive, Snowflake, Databricks, etc.
  2. Seamless Integration: Privacera leverages native service features like Ranger plugins or PolicySync to Snowflake UDFs so that organizations needn’t manually replicate policies on each platform.
  3. Audit and Reporting: Privacera automatically logs access attempts, whether granted or denied, enabling comprehensive audit trails for regulatory compliance.
  4. Fine-Grained + Object-Level Combination: Beyond row and column filtering, Privacera also offers OLAC for object-level enforcement, allowing teams to manage both file and table-level policies in the same framework.
  5. Scalability: Since Privacera is built for large, distributed data environments, FGAC policies can be applied consistently at scale, without sacrificing performance.

Limitations

  1. Performance Overhead: Masking and row-filtering can impact query performance, especially on large datasets.
  2. Potential Bypass: Where the service offers direct object store access, FGAC alone may not prevent users from retrieving underlying files unless combined with OLAC.
  3. Inconsistent Features: Not all services have equally robust row/column-level hooks; some rely on creative uses of UDFs or Secure Views, or proprietary constructs.
  4. Dependency on Underlying Service: FGAC can only be as effective as the platform’s compliance features or plugin system.

Additional Reading

Comments