Policy Item in Resource-Based Policies¶
In Apache Ranger, a Policy Item is the core unit within a policy that defines who has access, what access they have, and optionally, under what conditions. A single policy can contain multiple policy items to handle different user groups, access levels, or scenarios.
Policy items are evaluated to determine whether a user should be allowed or denied access to a specific resource.
Policy Item Fields¶
Each policy item can include the following.
About columns Access/Tag/RLF
- Access: Indicates whether the field is applicable for access-based policies.
- Tag: Indicates whether the field is applicable for tag-based policies.
- RLF: Indicates whether the field is applicable for row-level filtering policies.
| Field | Description | Access | Tag | RLF |
|---|---|---|---|---|
| Users | List of individual users granted/denied access | Yes | Yes | Yes |
| Groups | List of user groups granted/denied access | Yes | Yes | Yes |
| Roles | List of roles (logical) associated with this item | Yes | Yes | Yes |
| Access Types | The operations allowed/denied (e.g., SELECT, READ, PUBLISH) | Yes | No | No |
| Conditions | Optional ABAC-style expressions (e.g., ${{USER.department}} == 'finance') | Yes | Yes | Yes |
| Delegate Admin | Whether the specified users/groups can modify the policy | Yes | No | No |
| Masking | (Optional) Data masking instructions for SELECT access on sensitive columns | No | Yes | No |
| Row Filtering | (Optional) Row-level filter expressions to restrict visibility | No | No | Yes |
| Policy Type | Whether this is an Allow or Deny item | Yes | No | No |
| Validity Period | Specify the validity period to control how long the policy remains in effect | Yes | Yes | Yes |
| Policy Labels | Label to the policy | Yes | Yes | Yes |
Example: Multiple Policy Items in One Policy¶
A policy on table sales_data might look like this:
Allow Policy Items¶
- Allow
SELECTandINSERTto groupanalysts - Allow
SELECTto userjane_doewith condition${{USER.location}} == 'US' - Allow
SELECTto roledata_reader
Deny Policy Items¶
- Deny
SELECTto usertemp_user
Masking Policy Items¶
- Mask column
ssnusingPartial Maskfor grouppublic
Row Filter Policy Items¶
- Apply filter
region = ${{USER.region}}for groupregional_team
- Prev topic: Resource Definitions
- Next topic: User Principals