ABAC Macros¶
Privacera, through its integration with Apache Ranger, supports a set of Attribute-Based Access Control (ABAC) macros that enable dynamic and fine-grained policy evaluation. These macros allow you to reference user, group, role, tag, and request context attributes directly in your policies to enforce access control logic.
Categories of ABAC Macros¶
ABAC macros in Ranger return values in the following formats, which determine how they can be used within policies:
| Return Type | Usage Context |
|---|---|
| Boolean | Used in policy conditions only (e.g., resource access, tag-based, masking, RLF) |
| Comma-Separated List of Strings | Used in row-filter expressions, masking conditions, or IN (...) clauses |
Comma-Separated List of Quoted Strings (_Q) | Quoted list for use in SQL-style IN (...) expressions (e.g., 'val1','val2') |
Examples:¶
HAS_USER_ATTR('dept')→true/falseGET_TAG_NAMES()→PII,CONFIDENTIALGET_UG_ATTR_Q('state')→'CA','NY','TX'
Use the _Q variants (e.g., GET_UG_ATTR_Q) when inserting into SQL-style expressions to avoid syntax errors.
Always enclose ABAC expressions in ${{ }} for custom masking conditions and row level filter expressions to ensure proper evaluation by the Ranger policy engine.
1. Boolean Macros¶
These macros return true or false and are valid only in policy conditions (not within row-filter or masking expressions).
Where They Can Be Used¶
| Policy Type | Location |
|---|---|
| Resource Access Policies | ✅ Policy Conditions (Details and Allow/Deny Items) |
| Row-Level Filter Policies | ✅ Policy Conditions only |
| Masking Policies | ✅ Policy Conditions only |
| Tag-Based Access Policies | ✅ Policy Conditions only |
Boolean Macro Reference¶
| Entity | Macro | Description |
|---|---|---|
| User | HAS_USER_ATTR('attr') | Returns true if the user has the attribute attr |
| Group | IS_IN_GROUP('group') | Returns true if the user is in the specified group |
IS_IN_ANY_GROUP | Returns true if the user belongs to any group | |
IS_NOT_IN_ANY_GROUP | Returns true if the user belongs to no group | |
HAS_UG_ATTR('attr') | Returns true if any group the user belongs to has the attribute attr | |
| Role | IS_IN_ROLE('role') | Returns true if the user is in the specified role |
IS_IN_ANY_ROLE | Returns true if the user is in any role | |
IS_NOT_IN_ANY_ROLE | Returns true if the user is in no role | |
HAS_UR_ATTR('attr') | Returns true if any role the user has been assigned has the attribute attr |
2. Dynamic Expressions (Non-Boolean)¶
Dynamic expressions return values or lists and are used in row filters, masking conditions, and resource names. These expressions are enclosed in ${{ ... }}.
Where Dynamic Expressions Can Be Used¶
Unlike Boolean macros, dynamic expressions (enclosed in ${{ }}) are used where actual values such as strings or lists are required.
| Policy Type | Location |
|---|---|
| Resource Access Policies | ✅ Dynamic Resource Names (e.g., ${{USER.dept}}) |
| Row-Level Filter Policies | ✅ Row Filter Expressions (e.g., region = ${{USER.region}}) |
| Masking Policies | ✅ Masking Conditions (e.g., mask if ${{USER.level}} < 5) |
| Tag-Based Access Policies | ❌ Not supported |
| Policy Conditions | ❌ Not supported (use Boolean macros instead) |
Expression Functions¶
| Function | Quoted? | Example Output | Typical Use Case |
|---|---|---|---|
GET_USER_ATTR('attr', default) | No | us-west | Value comparison in row filters or masking |
GET_USER_ATTR_Q('attr', default) | Yes | 'us-west' | Use in SQL-style conditions that require quotes |
GET_USER_ATTR_NAMES() | No | email,dept,region | Diagnostic/debugging, dynamic field introspection |
GET_USER_ATTR_NAMES_Q() | Yes | 'email','dept','region' | Same as above with quoted values |
GET_UG_NAMES() | No | finance,public | Use in IN (...) row filters |
GET_UG_NAMES_Q() | Yes | 'finance','public' | Quoted IN (...) conditions |
GET_UG_ATTR('attr', default) | No | west | Value comparison with group-level attributes |
GET_UG_ATTR_Q('attr', default) | Yes | 'west' | Same, but for SQL-style comparisons |
GET_UG_ATTR_NAMES() | No | location,tier | Diagnostic/metadata rules |
GET_UG_ATTR_NAMES_Q() | Yes | 'location','tier' | Same, but quoted |
GET_UR_NAMES() | No | analyst,admin | Role-based access filters |
GET_UR_NAMES_Q() | Yes | 'analyst','admin' | Quoted IN (...) conditions |
GET_UR_ATTR('<attrName>', default, separator) | No | delhi | Value comparison with role-level attributes |
GET_UR_ATTR_Q('<attrName>', default, separator, quote) | Yes | 'delhi' | Same, but for SQL-style comparisons |
GET_UR_ATTR_NAMES(default, separator) | No | location,department | Diagnostic/metadata rules for roles |
GET_UR_ATTR_NAMES_Q(default, separator, quote) | Yes | 'location','department' | Same, but quoted |
GET_TAG_NAMES() | No | PII,Confidential | Tag-based filtering and masking |
GET_TAG_NAMES_Q() | Yes | 'PII','Confidential' | Use in IN (...) filters for tags |
GET_TAG_ATTR('attr', default) | No | high | Compare tag attribute values |
GET_TAG_ATTR_Q('attr', default) | Yes | 'high' | Use where quotes are required (e.g., SQL filters) |
GET_TAG_ATTR_NAMES() | No | sensitivity,owner | Tag metadata introspection |
GET_TAG_ATTR_NAMES_Q() | Yes | 'sensitivity','owner' | Same, with quoted output |
Expression Variables¶
| Variable | Quoted? | Example Output | Typical Use Case |
|---|---|---|---|
USER.<attr> | No | finance | Access user attributes directly in expressions like ${{USER.dept}} |
UGNAMES | No | ["finance", "hr"] | List of groups user belongs to; use in expression logic |
URNAMES | No | ["analyst", "admin"] | List of roles assigned to the user |
URATTR['<RoleName>'].<attrName> | No | delhi | Access specific role's attribute value like ${{URATTR['AUDITOR'].location}} |
REQ.<property> | No | { "accessType": "select", "user": "bob" } | Access request metadata (e.g., IP, cluster name, user) |
RES.<property> | No | { "database": "sales", "table": "txns" } | Access resource metadata (e.g., table, column, database) |
Examples¶
Row Filter Expression:¶
Row Filter Expression with Specific Role's Attribute:¶
Row Filter Expression with Multiple Values in Role Attribute:¶
Note: Use when the role attribute contains comma-separated values likeUS,Europe Column Masking Expression:¶
Column Masking Expression with Role Attribute:¶
Column Masking with Specific Role Attribute Value:¶
Column Masking with Default Value:¶
Column Masking with Specific Role:¶
Dynamic Resource Name:¶
Advanced Examples¶
Conditional Access Based on Sensitivity:¶
Row Filter with List Attribute:¶
Conditional Access Based on Role Attribute:¶
Note: Always check for null to avoid NPE in policy conditionsPolicy Condition with Role Attribute Check:¶
Policy Condition with Default Value:¶
Row Filter with Role Attribute:¶
Row Filter with Default Value:¶
Checking if Role Has Attribute:¶
Getting All Role Attribute Names:¶
Row Filter Based on Group Membership¶
Row Filter Based on Role Membership¶
Resource Name Expansion:¶
Default Handling Example:¶
Best Practices¶
- Use default values in attribute functions to avoid null evaluations.
- Enclose dynamic expressions within
${{ }}for row filters and masking rules. - Use quoted variants like
GET_UG_ATTR_Q()when inserting into SQL-style clauses (e.g.,IN (...)).
- Prev topic: ABAC Attributes
- Next topic: ABAC Operators