Resource Based Policies¶
Resource-based policies define who can access what resource, using explicit resource identifiers such as databases, tables, columns, file paths, etc. These are the most direct form of access control in Privacera and Apache Ranger.
Overview¶
- Policies are created for a specific service type (e.g., Databricks, S3, Snowflake).
- Resource specifications may include hierarchical structure (e.g., database → table → column).
- Permissions (e.g., select, update, delete) are granted or denied to users, groups, or roles.
- Policy conditions and macros can further refine when and how access is granted.
Supported Resource Types¶
Each service defines its own resource hierarchy. Common resource types include:
| Service Type | Resource Levels |
|---|---|
| RedShift | database → table → column |
| S3 | bucket → path |
| Snowflake | database → schema → table → column |
| Databricks UC | catalog → schema → table → column |
Components of a Resource-Based Policy¶
| Components | Description |
|---|---|
| Resources | Defines what data or path the policy applies to |
| Permissions | Types of access (e.g., select, update, delete, all) |
| Policy Items | Who the policy applies to (users, groups, roles) |
| Conditions | Optional attribute/macro expressions to further control access |
| Deny Items | Explicit deny blocks that override allows |
| Delegated Admin | Optionally allows the assignee to manage this policy going forward |
Creating a Policy via Privacera Portal¶
- Navigate to Access Management > [Service Type] (e.g., Databricks, Snowflake, S3).
- Click + Add Policy.
- Choose the appropriate resource path and permission types.
- Assign users, groups, or roles to policy items.
- (Optional) Add policy conditions using macros or attributes.
- Save the policy.
Example Policy¶
Use Case: Allow select access to the finance_db.orders table only for users in the finance_team group.
| Components | Value |
|---|---|
| Service | RedshiftDB |
| Database | finance_db |
| Table | orders |
| Permissions | select |
| Groups | finance_team |
| Conditions | None |
Common Best Practices¶
- Use group-based policies over individual user assignments.
- Use wildcards for broad-scoped access where appropriate.
Related Topics¶
- Prev topic: Access Policy Definition
- Next topic: Tag Based Access Control