Skip to content

Tag Based Access Control (TBAC) Overview

Tag Based Access Control (TBAC) allows you to enforce policies based on tags associated with data, rather than hardcoding policy rules to specific resource names. This abstraction enables scalable, centralized governance across diverse data systems.

Privacera uses the same foundational design as Apache Ranger for tag-based policies, including tag service definitions, REST APIs, and enforcement logic.

Overview

  • Tags are metadata labels (e.g., PII, SENSITIVE, CONFIDENTIAL) attached to resources like tables, columns, or files.
  • TBAC policies use these tags to control access, rather than relying on static resource names.
  • One or more tags can be associated with a resource via a separate Tag Service.
  • Policies evaluate tags dynamically at runtime.

Concepts

Concept Description
Tag A classification label (e.g., PII, Financial, Confidential)
Tag Attribute Metadata attached to a tag (e.g., sensitivityLevel = 8)
Tag Policies Rules that define how tags are applied and enforced
Resource Mapping A resource (table, column, file) is associated with one or more tags
Tag Policy Enforcement The process of applying tag policies to resources at runtime
Tag Service A logical service where all tag definitions and tag-policy mappings live
Tagging Strategy A plan for how tags are created, managed, and enforced across data systems

Tag

Tags are labels that can be applied to data resources. They help categorize and manage data based on its sensitivity, importance, or compliance requirements. For example, a tag like PII (Personally Identifiable Information) can be used to indicate that a dataset contains sensitive personal information. 

flowchart RL

    subgraph Tags
        TAG1[Tag: PII]
        TAG2[Tag: GDPR]
    end

Some common tag categories include:

Category Example Tags
Data Type SSN, CreditCardNumber, EmailAddress
Data Sensitivity PII, PCI, HIPAA
Data Classification Public, Internal, Confidential
Compliance GDPR, CCPA
Data Ownership Finance, HR
Data Usage Analytics, Reporting, MachineLearning
Data Encryption Encrypted, Unencrypted
Data Anonymization Anonymized, DeIdentified, Identifiable
Data Region us, eu, ap-south-1

Tag Attributes

Tag attributes are metadata properties associated with tags. They provide additional context or information about the tag itself. For example, a tag PII might have attributes like sensitivityLevel and/or dataType. These attributes can be used in policy conditions to enforce more granular access control.

flowchart RL

    subgraph Tags with Attributes
        TAG1[Tag: PII <br> attribute=sensitivityLevel]
        TAG2[Tag: DOMAIN <br> attribute=LOB]
    end

Tag Policies

Tag policies are rules that define how tags are applied to resources and how access is controlled based on those tags. They can be used to enforce security, compliance, and data governance policies. Tag policies can include conditions based on user attributes, group memberships, and tag attributes.

Tag policies can be used to:

  1. Control access to sensitive or domain data based on tags.
  2. Enforce data masking or encryption based on tags.

Here is the flow for creating a tag policy:

sequenceDiagram
    participant Admin
    participant TagService

    Admin->>TagService: Open UI/API to create tag policy
    Admin->>TagService: Select tag (e.g. PII or SENSITIVE)
    Admin->>TagService: Define conditions and access rights
    Admin->>TagService: Assign users/groups/roles
    Admin->>TagService: Save policy
    Note right of TagService: Policies are now available for evaluation

Best Practices for Tag Policies

  • Security Tags: Tags like SSN, CreditCardNumber, Address, etc. are better used to provide encryption or masking policies.
  • Business Tags: Tags like CustomerData, SalesData, HRData are better used to provide access control policies.
  • Compliance Tags: Tags like GDPR, CCPA, HIPAA along with Security Tags can be used to provide access, encryption, or masking policies.

Examples:

  1. Only users from certain groups and roles can see columns tagged with SSN in cleartext; all others will see masked values.
  2. Users from the Finance group can access resources tagged as FinanceData.
  3. Resources tagged as GDPR can only be accessed by users with the GDPRCompliance role.

Resource Mapping

Most data platforms do not support tagging resources natively, and if they do, there are either limitations or inconsistencies between data platforms. To overcome this limitation, Privacera maintains a mapping between resources and tags. This mapping is stored in Privacera's Tag Service and is used to evaluate tag policies at runtime.

Generally any resource type in the Service Definition can be tagged. It is recommended to consult Privacera support for specific use cases.

Here are some examples of resource types and their taggable levels:

Resource Type Taggable Level
Databases database, schema, catalog, table, column
Cloud Object Stores bucket, path, object 
flowchart RL

    subgraph Step 1: Tag Definition
        TAG1[Tag: PII <br> attribute=sensitivityLevel]
        TAG2[Tag: GDPR]
    end

    subgraph Step 2: Tagging Resources
        R1[Column: customer.email<br>sensitivityLevel=MEDIUM]
        R2[Column: customer.ssn<br>sensitivityLevel=HIGH]
        R3[File: s3://data/hr/euro_employees.csv]
        R4[Table: euro_customers]

        R1 -->|tagged with| TAG1
        R2 -->|tagged with| TAG1
        R3 -->|tagged with| TAG2
        R4 -->|tagged with| TAG2
    end

Native Tagging Support

There are few exceptions currently where the resource mapping is not required in Privacera. For now, only Google BigQuery supports tagging resources natively. In BigQuery, you can create the tag, taxonomy, and policy tag in the GCP console and you can create the Tag Policies in Privacera. Refer BigQuery connector for more information.

Here is a sample flow:

sequenceDiagram
    participant Admin
    participant TagService
    participant DataService

    Admin->>DataService: Identify target resource
    Admin->>TagService: Define or reuse existing tags
    Admin->>TagService: Use UI/API to associate tags to resource
    TagService->>TagService: Save tag mapping
    Note right of TagService: Tags are available for enforcement

Tag Policy Enforcement

The enforcement of the tag policies based on the Privacera's integration with the data platform.

  • Plugins and Data Servers: Privacera's plugins and data servers evaluate tag policies at runtime. When a user requests access to a resource, the plugin checks the associated tags and evaluates the tag policies to determine if access should be granted or denied.
  • PolicySync: Privacera's PolicySync pre-determines the policies based on the resources and associated tags. It then synchronizes the policies with the target data platform for the resource. If there are any changes in the tag policies or tag/resource mapping, then the resource policies are reevaluated and updated in the target data platform.

Here is how the policies are enforced using Plugins and Privacera DataServers:

sequenceDiagram
    participant User
    box Data Platform
        participant DataPlatform
        participant Plugin
        participant TagService
    end


    User->>DataPlatform: Request access to resource
    DataPlatform->>Plugin: Forward request
    Plugin->>TagService: Map resource to tag and its policy
    Plugin->>Plugin: Evaluate conditions (e.g., IS_IN_GROUP)
    alt Access Allowed
        Plugin->>User: Allow Access / Apply Masking
    else Access Denied
        Plugin->>User: Deny Access
    end

Here is the flow for enforcing the tag policies using PolicySync:

sequenceDiagram
    participant Admin
    participant TagService
    participant PolicySync
    participant DataPlatform

    Admin->>TagService: Create or update tag-based policy or resource mapping
    TagService->>PolicySync: Notify of change
    PolicySync->>PolicySync: Evaluate tag policies
    PolicySync->>DataPlatform: Apply grant/revoke via native APIs
    Note right of DataPlatform: Permissions enforced on resources

Tag Service

The Tag Service is a centralized service that manages all tags and their associations with resources. It provides a consistent way to define, manage, and enforce tag policies across different data platforms. The Tag Service is responsible for:

  • Creating and managing tags.
  • Associating tags with resources.
  • Evaluating tag policies at runtime.

Privacera can support multiple tag services, however it is recommended to use a single tag service for all data. The default tag service in Privacera is called privacera_tag and these needs to be attached to the Service Repo to be considered for enforcing the Tag Based policies.

Tagging Strategy

Designing Tagging Strategy

  • Tagging is a company-wide initiative and should be standardized across all data platforms.
  • Ensure to involve all stakeholders (data owners, compliance officers, security teams) in the tagging strategy.
  • Use a consistent naming convention for tags.
  • Regularly review and update tags to reflect changes in data classification or compliance requirements.
  • Use a centralized tag management system to ensure consistency across different data platforms.

Examples

Example 1: Mask Columns Tagged as PII

Use Case: Mask all columns tagged as PII for users not in the pii_access group.

Component Value
Tag PII
Policy Condition IS_IN_GROUP('pii_access')
Masking Type MASKED
Group public

Example 2: Enforce Clearance Level for Sensitive Tags

Use Case: Allow access to any resource tagged with SENSITIVE only if the user's clearance is high enough.

Component Value
Tag SENSITIVE
Policy Condition ${{USER.clearance}} >= TAG.sensitivityLevel
Access SELECT

Additional Reading

Comments