Security Zones¶
Security Zones in Apache Ranger and Privacera provide a way to logically segment services and resources so that different administrators can manage policies independently. A security zone defines a boundary of control over a subset of resources, allowing organizations to delegate policy administration in a structured and governed way.
Here are the key features of security zones:
- One or more services (e.g., Snowflake, S3, Hive)
- Resource patterns (e.g., databases, buckets, paths)
- Zone-specific administrators
flowchart TD
subgraph finance
A[Snowflake: finance_db.orders]
B[S3: /finance/data.csv]
C[Hive: finance_table]
end
subgraph Security Zone: FinanceZone
D[Zone Admins: finance_admins]
A
B
C
end
D -. Manages policies for .-> A
D -. Manages policies for .-> B
D -. Manages policies for .-> C
Policies defined within a security zone only apply to resources that match the zone's scope. Zone admins can only view and manage policies in their assigned zones.
Overlapping Resource Patterns
Ensure that resource patterns are mutually exclusive across zones to prevent conflicts. For example, if one zone includes finance_* and then any other zones can't include patterns like finance_db.
Use Cases¶
- Implement multi-tenancy by creating zones for different business units (e.g.,
HR,Finance,Engineering) - Implement data residency by creating zones for different regions (e.g.,
us_data,eu_data) - Isolate sensitive data by creating zones for high-risk data (e.g.,
PHI,PCI) - Isolate partner data by creating zones for external data sharing (e.g.,
partner_data)
Key Concepts¶
| Concept | Description |
|---|---|
| Zone Admin | Users/groups allowed to manage policies for the zone |
| Zone Services | One or more services (e.g., Hive, S3, Kafka) included in the zone |
| Resource Patterns | Matching rules that define which resources fall under the zone |
| Zone Policies | Only visible and editable by the zone's admins |
Example: Creating a Finance Zone¶
Define a security zone called FinanceZone:
| Field | Value |
|---|---|
| Zone Name | FinanceZone |
| Services | Snowflake, S3 |
| Resources | Snowflake: database starts with finance_S3: bucket prefix /finance/ |
| Zone Admins | finance_admins group |
Effect:
- Only users in the
finance_adminsgroup can create or manage policies on resources likefinance_reports,/finance/data/ - Other admins cannot view or manage policies in this zone
Service Repo¶
When creating a security zone, the Service Repo is automatically created in Apache Ranger for the resources in the zone. For example, if databases from Snowflake and S3 are included in the zone, the Service Repo for each service (i.e., privacera_snowflake and privacera_s3) will be created within the zone.
Tags in Security Zones¶
In Apache Ranger, Tag Services are associated with the Service Repo. If the Tag Service (e.g., privacera_tag) is associated with the Service Repo within the zone, the tags will be applied to the resources in the zone. This allows zone admins to manage the tag policy for the resources in the zone, and these policies will be applicable to the resources in the zone.
If the Tag Service is not associated with the Service Repo, the tag policies from the global level will be applied to the resources in the zone. This means that zone admins will not be able to manage the tag policies for the resources in the zone.
Best Practices¶
- Design zones around business domains, compliance requirements
- Ensure resource patterns are mutually exclusive across zones to prevent conflicts
- Use zone admins to enforce least privilege for administrative control
- Periodically audit zone membership and policies
Limitations¶
- Audits retrieved by PolicySync Connectors are not zone-aware. This means the audits will not have zone information in the audit logs.
- Audits can't be separated by zones. This means admins will be able to see audits for all zones in the audit logs.
Difference from Delegated Admins¶
While Security Zones and Delegated Admins both aim to decentralize access control, they operate at different granularity levels and serve different purposes. Read Delegated Admins for more information.
- Prev topic: Delegated Admins
- Next topic: Data Admin