Skip to content

Policy Evaluation Ordering for Masking and Row Level Filtering

This document describes the enhanced policy evaluation ordering mechanism for Masking and Row Level Filter (RLF) policies when the enhanced ordering feature is enabled.

Connector support

This feature is currently supported only for Snowflake and Databricks Unity Catalog.

Overview

When multiple Masking or Row Level Filter policies apply to the same resource, Apache Ranger evaluates them in a specific order to determine which policy takes effect. The enhanced policy ordering feature provides a more predictable and configurable evaluation sequence.

Policy Evaluation Order

When the enhanced ordering feature is enabled, policies are evaluated in the following order:

Tag Policies

Tag-based policies follow this evaluation order:

  1. Match Type Comparator (primary ordering):

    • SELF (highest priority)
    • SELF_AND_ALL_DESCENDANTS
    • ANCESTOR
    • DESCENDANT
    • NONE (lowest priority)

  2. Secondary Ordering (when match types are the same):

    • Priority: Policies with higher priority values are evaluated first
    • Policy Name: Alphabetical ascending order (A-Z)

Resource Policies

Resource-based policies follow this evaluation order:

  1. Priority: Policies with higher priority values are evaluated first
  2. Policy Name: Alphabetical ascending order (A-Z)

Priority and Override Behavior

Priority Scope

Policy priority (Override) is only applicable within the same policy type: - Priority within Tag policies only affects ordering among Tag policies - Priority within Resource policies only affects ordering among Resource policies - An Override Resource policy is evaluated after a normal Tag policy (Tag policies take precedence over Resource policies)

Example: If you have: - Tag Policy A (normal priority) - Resource Policy B (Override priority)

Tag Policy A will be evaluated first, even though Resource Policy B has Override priority, because Tag policies are evaluated before Resource policies.

Public Group Priority

Masking types and RLF expressions for the public group have special priority handling:

Public Group Evaluation Rules

  1. Lowest Priority: Public group results are considered the lowest priority compared to non-public group results.

  2. Fallback Behavior: Public group policies are only used when no non-public results are available.

  3. Evaluation Order: When public group results are used, they follow the same ordering rules as described above:

    • Tag policies are evaluated before Resource policies
    • Within Tag policies: Match type → Priority → Policy name
    • Within Resource policies: Priority → Policy name

Example Scenario

Consider the following policies:

  • Tag Policy 1: Applies to group analysts (non-public) with match type SELF
  • Tag Policy 2: Applies to group public with match type SELF
  • Resource Policy 1: Applies to group public with priority Override

Evaluation Order:

  1. Tag Policy 1 (analysts, non-public, SELF) - evaluated first
  2. If Tag Policy 1 doesn't match, Tag Policy 2 (public, SELF) - evaluated second
  3. If no tag policies match, Resource Policy 1 (public, Override) - evaluated last

Configuration Examples

  1. Connect to your Privacera Manager instance via SSH.

  2. Edit the connector-specific configuration file:

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/<connector-name>/<instance-name>/vars.connector.<TYPE>.yml

  3. Replace <connector-name> with your connector name (e.g., snowflake, databricks-sql-analytics).

  4. Replace <instance-name> with your instance name (e.g., instance1, instance2).

  5. Replace <TYPE> with your connector name (e.g., snowflake, databricks.sql.analytics).

  6. Add or update the property:

    YAML
    1
    CONNECTOR_RANGER_ENHANCE_POLICY_ORDERING_FOR_MASKING_AND_RLF: "true"

  7. Once the property is configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to SettingsApplications.

  2. On the Connected Applications screen, select the desired Application.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access ManagementADVANCED tab.

  5. Under Add New Custom Properties, add the following property:

    Bash
    1
    ranger.plugin.enhance.policy.ordering.for.masking.and.rlf=true

  6. Click SAVE to apply the changes.

Best Practices

  1. Name Policies Consistently: Use clear, consistent naming conventions for policies to make alphabetical ordering predictable.

  2. Understand Priority Scope: Remember that priority only applies within the same policy type (Tag or Resource).

  3. Public Group as Fallback: Design your policies so that public group policies serve as sensible defaults when no specific policies match.