Deny Policies¶

Apache Ranger supports Deny Policies as a mechanism to explicitly block access to resources, even if another policy might allow it. This enables enforcement of critical security constraints and the principle of least privilege.

Where Deny Policies are supported, they can be used in both Resource-Based Policies and Tag-Based Policies access policies.

How Deny Policies Are Evaluated¶

When a user requests access to a resource, Ranger evaluates the matching policies in this order:

sequenceDiagram
    title: Policy Evaluation Flow
    participant User
    participant RangerPolicyEngine

    User->>RangerPolicyEngine: Access Request
    alt Deny Policy Matches
        RangerPolicyEngine-->>User: Access Denied ❌
    else No Deny Match
        alt Allow Policy Matches
            RangerPolicyEngine-->>User: Access Allowed ✅
        else No Allow Match
            RangerPolicyEngine-->>User: Access Denied ❌
        end
    end

1. Deny conditions: If a deny policy matches, access is immediately denied (even if another policy allows it).
2. Allow conditions: If no deny policies match, then allow policies are evaluated.
3. No match: If no policies match, access is denied by default.

Using Excludes with Deny Policies¶

Deny Policies can be refined using exclusion conditions to ensure certain users or groups are not affected.

Example: Deny access to DELETE from table transactions for all users except admins.

In this case, all users except those in the admin group will be denied DELETE access.

Best Practices¶

• Use deny policies sparingly and purposefully to avoid conflicts
• Use exclude users/groups/roles to provide controlled exceptions
• Avoid deny policies in platforms where they are not supported (e.g., PolicySync)

Comments