Resource Definitions¶
In Apache Ranger and Privacera, resources represent the data elements on which access control policies are applied. Resources are service-specific and form the backbone of both resource-based and tag-based policies.
This document outlines how resources are defined, matched, and extended using features like wildcards, exclusions, macros, and hierarchy.
Resource Hierarchy¶
Most services follow a hierarchical structure that enables access control at various levels of granularity.
Examples:
| Service | Resource Hierarchy |
|---|---|
| Snowflake | Database → Schema → Table → Column |
| Hive | Database → Table → Column |
| S3 | Bucket → Path → Object |
| Kafka | Topic → Consumer Group |
Policies defined at higher levels automatically apply to all child resources unless overridden at a more specific level.
Read Resource Hierarchy in Access Policy Definition for more details
Wildcards in Resources¶
Apache Ranger supports wildcards to allow flexible pattern-based matching in resource definitions:
| Wildcard | Meaning |
|---|---|
* | Matches any value at a single level |
? | Matches a single character (e.g., customer? matches customer1, customer2, etc.) |
/** | Matches recursive paths (applicable to filesystem paths) |
Examples:
table: *→ Applies to all tables in the schemapath: /data/*/sales/→ Applies to all folders namedsalesunder/data/*
Wildcards help reduce the number of policies by generalizing access across multiple resources.
Resource Exclusions¶
In addition to inclusion patterns, policies in Ranger can define exclusions using the Exclude from Policy Evaluation setting.
Example Use Case:
- Allow access to all schemas in a database except
restricted_schema
Exclusions take precedence over inclusions at the same policy level and help fine-tune access control.
Macros in Resources¶
Apache Ranger allows the use of dynamic macros in resource definitions. These are resolved at policy evaluation time based on runtime context (e.g., the user's attributes).
Supported Macros:
${{USER.<attribute>}}— Uses the value of a user attribute (e.g., department)${{REQ.user}}— Refers to the current user making the request
Example:
- Resource:
/data/${{USER.department}}/→ Grants access only to folders matching the user's department
Macros enable scalable policies that adapt dynamically to the user or context.
Read ABAC Macros for more details on supported macros in ABAC policies.
- Prev topic: Dynamic Column Masking
- Next topic: Policy Items