Exclude Policies¶

Exclude Policies in Apache Ranger provide a mechanism to define exceptions within a policy item. They allow administrators to specify users, groups, or roles that should be excluded from the effect of an allow or deny rule—even if those principals would otherwise match the conditions of the policy.

This is particularly useful in environments with broad access policies that require exceptions for certain individuals or teams.

How Exclude Works¶

• Exclude entries are specified inside each policy item under users, groups, or roles.
• Excluded users or groups are not granted access by that policy item even if other parts of the policy match.
• If no other policy allows access to the excluded user, the default behavior is access denied.

Exclude entries can be used in both:

• Allow Policy Items (to withhold access for specific principals)
• Deny Policy Items (to exempt specific principals from being denied)

Example 1: Exclude User from Allow Policy¶

Grant SELECT on the sales_data table to all users in the analysts group, except user john_doe:

In this case:

• Members of analysts can run SELECT
• john_doe will be denied unless another policy allows it

Example 2: Exclude Group from Deny Policy¶

Deny DROP on all tables in database finance_db to everyone except the admin group:

Effect:

• Everyone is denied DROP on any table in finance_db
• Members of admin group are exempt and can drop tables if another allow policy exists

Key Behavior¶

• Exclusions are evaluated after a match is found in a policy item
• If a user is excluded, the policy item is skipped for that user
• Policy evaluation continues to search for other matching allow or deny rules

Best Practices¶

• Use exclusions to model exceptions rather than crafting separate policies
• When using * (all users), always consider excluding known admin or system accounts
• Document exclusions explicitly to ensure policy intent is understood

Comments