Policy Conditions in Apache Ranger Policies¶
Policy conditions in Apache Ranger allow you to define dynamic constraints that must be satisfied in addition to matching the resource and action. These are especially useful for implementing attribute-based access control (ABAC), custom conditions, or tag-driven conditions.
Policy conditions can be written in JavaScript expression. The expression should return a boolean (true/false). These expressions are evaluated at request time using attributes of:
- Users or groups
- Request metadata
- Resource tags and attributes
If the condition evaluates to true, access continues to be evaluated. If false, the policy item is skipped.
Where Can Conditions Be Used?¶
| Policy Type | Location |
|---|---|
| Resource-Based Policies | Policy items, Policy detail |
| Tag-Based Policies | Policy items, Policy detail |
| Row-Level Filter Policies | Policy items only |
| Masking Policies | Policy items only |
Read ABAC Macros for more details on how to use attributes in conditions.
Examples of Common Conditions¶
| Example Expression | Description |
|---|---|
${{USER.department}} == 'finance' | Allow access only if user's department is finance |
IS_IN_GROUP('managers') | Grant access only if user is in the 'managers' group |
HAS_TAG('PII') | Allow if resource is tagged as PII |
${{USER.location}} == ${{TAG.region}} | Match user's location with tag attribute on resource |
IS_ACCESS_TIME_BETWEEN('2024/01/01', '2024/12/31') | Allow access only during the calendar year 2024 |
Limitation of Conditions
- In PolicySync connectors, the conditions are evaluated when the policy is created, not at runtime. So certain conditions like
IS_ACCESS_TIME_BETWEENmay not work because the current data platforms don't support these type of dynamic conditions. - In Plugins and Privacera DataServer, these conditions are evaluated at runtime, it is important to note that if the conditions are making external calls, then it may impact performance.
- Plugins generally run within the data platform process. So external dependencies or libraries should be available in the data platform environment.
- Privacera DataServer currently does not support custom conditions which require external libraries or dependencies.
Combining Conditions¶
Since it supports JavaScript, you can use logical operators in your expressions:
AND,OR,NOT- Parentheses for grouping
Example:
| Text Only | |
|---|---|
Best Practices¶
- Keep conditions simple and testable
- Use macros and attributes to minimize hardcoding values
- Avoid complex nested logic unless necessary
Further Reading¶
- Prev topic: Action and Permissions
- Next topic: Deny Policies